security-differential-review
Security Differential Review
When to Use
- Reviewing pull requests or commits for security implications
- Assessing whether a code change introduces new vulnerabilities
- Comparing before/after states of security-sensitive code
- Evaluating dependency updates for security impact
- Reviewing infrastructure-as-code changes for security regressions
When NOT to Use
- Full codebase security audits (use audit-context-building first)
- Reviewing code without access to the diff
- Performance or feature reviews without security focus
Review Methodology
1. Understand the Change Context
# View the full diff
git diff main..feature-branch
# See changed files
git diff --name-only main..feature-branch
# Check commit messages for security context
git log --oneline main..feature-branch
2. Categorize Changed Files by Risk
| Category | Examples | Review Priority |
|---|---|---|
| Auth/authz | Login, middleware, RBAC | Critical |
| Input handling | Parsers, validators, API handlers | High |
| Crypto/secrets | Key management, encryption, hashing | Critical |
| Data access | Database queries, ORM models | High |
| Configuration | Env config, security headers, CORS | High |
| Dependencies | package.json, go.mod, requirements.txt | Medium |
| Tests | Test files, fixtures | Low (but check for removed security tests) |
| UI/frontend | Templates, React components | Medium (XSS risk) |
3. Security-Focused Diff Analysis
Look for:
- Removed security checks (auth, validation, sanitization)
- New input handling without validation
- Changed trust boundaries
- Weakened cryptographic operations
- New dependencies with known vulnerabilities
- Hardcoded secrets or credentials
- Disabled security features (CSRF, CSP, rate limiting)
- Error handling changes that leak information
4. Dependency Change Review
# Compare dependency changes
diff <(git show main:package.json | jq '.dependencies') <(cat package.json | jq '.dependencies')
# Check new dependencies for vulnerabilities
npm audit
Red Flags in Diffs
| Pattern | Risk |
|---|---|
-if (user.isAdmin()) |
Removed authorization check |
+// TODO: add auth later |
Security debt introduced |
-sanitize(input) |
Removed input sanitization |
+eval(userInput) |
Code injection |
-helmet() |
Removed security headers middleware |
+CORS: { origin: '*' } |
Overly permissive CORS |
| Deleted test files | Removed security regression tests |
Output Format
For each finding:
- File and line — exact location in the diff
- Issue — what the security concern is
- Severity — Critical / High / Medium / Low
- Recommendation — specific fix or mitigation
More from elizaos/eliza
wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli. Use when the user asks about notes, vault management, PKM, knowledge base organization, wikilinks, or personal knowledge management in Obsidian.
25session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
24coding-agent
Run Codex CLI, Claude Code, OpenCode, or Pi Coding Agent via background process for programmatic control. Use when the agent needs to spawn, monitor, or orchestrate coding agents in a terminal session, delegate programming tasks to a sub-agent, review pull requests with an external CLI tool, or run parallel background coding workflows across git worktrees.
22