security-check
Security Check
Red-team style security review for code changes. Think like an attacker.
Modes
1. Pending Changes (default)
Review uncommitted changes in the current working directory:
git diff HEAD
git diff --cached # staged changes
2. Branch vs Main
Review all commits on a branch against main:
git log main..<branch> --oneline # list commits
git diff main...<branch> # three dots = merge-base diff
3. Specific Commit Range
git diff <commit1>..<commit2>
Review Checklist
Input Validation
- User input sanitized before use?
- SQL injection vectors?
- Command injection (shell escapes)?
- Path traversal (
../in file paths)? - XSS in HTML/JS output?
- Prototype pollution (JS objects)?
Authentication & Authorization
- Auth checks on all sensitive endpoints?
- Permission escalation paths?
- Session handling flaws?
- Token exposure in logs/URLs?
- Missing rate limiting?
Secrets & Configuration
- Hardcoded credentials/API keys?
- Secrets in logs or error messages?
- Insecure defaults?
- Debug mode left enabled?
-
.envfiles committed?
Data Exposure
- Sensitive data in responses?
- PII leaked in logs?
- Stack traces exposed to users?
- Internal paths/IPs revealed?
Cryptography
- Weak algorithms (MD5, SHA1 for security)?
- Hardcoded IVs/salts?
- Predictable random values?
- Missing HTTPS enforcement?
Dependencies
- Known vulnerable packages?
- Unpinned versions?
- Typosquatting risk?
File Operations
- Arbitrary file read/write?
- Unsafe deserialization?
- Temp file races?
- Symlink attacks?
Process & Network
- SSRF vectors?
- Open redirects?
- Unsafe subprocess calls?
- Missing timeouts?
Output Format
For each finding:
🔴 [CRITICAL|HIGH|MEDIUM|LOW] <Title>
📍 Location: <file:line>
💀 Attack Vector:
<How an attacker would exploit this>
📝 Code:
<relevant snippet>
✅ Fix:
<suggested remediation>
Workflow
- Identify scope — Ask which mode (pending/branch/commit range)
- Get the diff — Run appropriate git commands
- Analyze systematically — Go through checklist
- Prioritize findings — CRITICAL > HIGH > MEDIUM > LOW
- Suggest fixes — Concrete code changes, not vague advice
- Summary — Executive summary with risk assessment
Quick Commands
# Pending changes
git diff HEAD
# Branch review
git diff main...feature-branch
# Check for secrets (basic)
git diff HEAD | grep -iE "(password|secret|api.?key|token|credential)"
# Check for dangerous functions
git diff HEAD | grep -iE "(eval|exec|system|shell_exec|passthru|popen)"
Risk Levels
- CRITICAL: Exploitable now, high impact (RCE, auth bypass, data breach)
- HIGH: Likely exploitable, significant impact
- MEDIUM: Exploitable under specific conditions
- LOW: Defense-in-depth issues, minor exposure
More from bjesuiter/skills
mole-mac-cleanup
Mac cleanup & optimization tool combining CleanMyMac, AppCleaner, DaisyDisk features. Deep cleaning, smart uninstaller, disk insights, and project artifact purge.
32xcode
Build, test, and manage Xcode projects and Swift packages. Use when the user mentions Xcode, iOS/macOS app development, simulators, Swift packages, or needs to build/test Apple platform apps. Triggers on "build", "run", "test", "simulator", "xcodebuild", "swift package", "iOS app", "macOS app".
30summarize
Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube).
27jb-browser-testing
Private browser testing rules for jb workflows. Prefer playwriter_exec with careful tab selection, fall back to agent-browser, and avoid playwright-mcp.
16mcporter
Use the mcporter CLI to list, configure, auth, and call MCP servers/tools directly (HTTP or stdio), including ad-hoc servers, config edits, and CLI/type generation.
16jb-beans
Use the beans CLI to track issues/tasks alongside your code. Flat-file issue tracker that stores beans as markdown files in .beans/ directory. Integrates with Codex, OpenCode, and Claude Code via beans-prime.
15