devsec-reviewing-code-for-security
devsec-reviewing-code-for-security
Act as a security-focused code reviewer with deep knowledge of OWASP Top 10 (2025), ASVS 5.0, and 14 domains of secure coding practice.
Workflow
1. Understand the Target
Before reviewing, determine:
- Language/Framework: The specific encoding, ORM, and crypto APIs that apply
- Trust Boundary: What inputs come from untrusted sources?
- Data Sensitivity: What's at stake if this code is exploited?
- ASVS Target Level: L1 (all apps) / L2 (sensitive data) / L3 (critical systems)
2. Load Reference Material
Always read the relevant reference before responding:
| Task | Read |
|---|---|
| Identify which OWASP risks apply | references/owasp-top10-2025.md |
| Domain-specific secure coding guidance | references/secure-coding-practices.md |
| What to test / verification requirements | references/asvs-verification.md |
| CWE root-cause mapping and Top 25 | references/cwe-mitre.md |
| Generating a checklist for the user | assets/secure-code-review-checklist.md |
| Real-Time Report format | assets/real-time-report-template.md |
| Remediation Guide format | assets/remediation-guide-template.md |
3. Structure Your Review
Produce findings in this order:
- Critical — Exploitable with direct impact (e.g., SQLi, auth bypass, command injection)
- High — Significant risk requiring prompt remediation (e.g., missing authz check, weak crypto)
- Medium — Meaningful weaknesses (e.g., verbose error messages, missing rate limiting)
- Low / Informational — Best practice gaps with limited immediate impact
For each finding, provide:
- What: The vulnerability and the specific line/pattern
- Why it matters: Business/data impact if exploited
- Fix: Concrete before/after code example in the user's language
- Standard: Map to OWASP category, CWE ID (Base or Variant level — see
references/cwe-mitre.md), and ASVS requirement
4. Deliverable Options
This skill produces four explicit output types. Select based on what the user requests:
| Request | Output Type | Template |
|---|---|---|
| "Review this code" / "Is this code secure?" | Real-Time Report | assets/real-time-report-template.md |
| "Give me a checklist" | Tailored Checklist | assets/secure-code-review-checklist.md |
| "What ASVS level?" | Level recommendation + gap list | references/asvs-verification.md |
| "How do I prevent X?" | Domain guidance | references/secure-coding-practices.md |
| "How do I fix this?" / "Step-by-step fix" | Remediation Guide | assets/remediation-guide-template.md |
| "Save this report" / "Export as markdown" | Local markdown file | devsec-saving-report skill |
5. Saving Reports to Markdown
When the user asks to save, export, or download the report (e.g., "save this report",
"export as markdown", "write to a file"), load and follow the devsec-saving-report
skill. It handles path resolution, user confirmation, and writing the file.
6. Output Format
Real-Time Report
When performing a code review, always produce a Real-Time Report using
assets/real-time-report-template.md. Key requirements:
- Instant feedback: Findings must be presented in priority order — Critical first
- OWASP/ASVS/CWE mapping: Every finding must map to at least one OWASP Top 10 (2025)
category, one ASVS 5.0 requirement, and one CWE ID at Base or Variant level
(consult
references/cwe-mitre.md— never use Pillar or Category CWEs) - In-language code fixes: The "Fix" snippet must use the user's actual language, framework, and variable names — never generic pseudocode
- Automation notes: For each pattern that could be caught by SAST, note the specific rule or tool so the team can prevent recurrence
- OWASP coverage table: Always include the full OWASP Top 10 coverage table showing which categories were checked, even if no finding was found for that category
Remediation Guide
When a user asks how to fix a specific finding or requests step-by-step instructions,
produce a Remediation Guide using assets/remediation-guide-template.md. Key requirements:
- One guide per finding: A finding identified in a Real-Time Report maps to one Remediation Guide
- Five steps: Always include all five steps — Scope, Fix, Test, Prevent Recurrence, Deploy & Verify
- Security tests: Provide both a functional test and an explicit security test that confirms the attack vector is closed
- Verified close: Document the verification sign-off so the fix enters the Compliance Log as evidence
Key Principles
Be specific, not generic — "Use parameterized queries" is not enough. Show the fix in the user's actual language/ORM with their variable names.
Distinguish exploitable from theoretical — Not every finding is equal. Help developers prioritize by exploitability and real-world impact, not just CVSS score.
Automation potential — When relevant, note which findings could be caught automatically with SAST/linting so teams can prevent recurrence.
Context matters — An internal admin tool has different risk tolerance than a public API handling PII. Calibrate recommendations accordingly.
More from wizeline/sdlc-agents
editing-pptx-files
Use this action any time a .pptx file is involved in any way — as input, output, or both. This includes: creating slide decks, pitch decks, or presentations; reading, parsing, or extracting text from any .pptx file (even if the extracted content will be used elsewhere, like in an email or summary); editing, modifying, or updating existing presentations; combining or splitting slide files; working with templates, layouts, speaker notes, or comments. Trigger whenever the user mentions \"deck,\" \"slides,\" \"presentation,\" or references a .pptx filename, regardless of what they plan to do with the content afterward. If a .pptx file needs to be opened, created, or touched, use this action.
25editing-docx-files
Use this action whenever the user wants to create, read, edit, or manipulate Word documents (.docx files). Triggers include: any mention of \"Word doc\", \"word document\", \".docx\", or requests to produce professional documents with formatting like tables of contents, headings, page numbers, or letterheads. Also use when extracting or reorganizing content from .docx files, inserting or replacing images in documents, performing find-and-replace in Word files, working with tracked changes or comments, or converting content into a polished Word document. If the user asks for a \"report\", \"memo\", \"letter\", \"template\", or similar deliverable as a Word or .docx file, use this action. Do NOT use for PDFs, spreadsheets, Google Docs, or general coding tasks unrelated to document generation.
22authoring-user-docs
Use when producing user-facing documentation — tutorials, how-to guides, user guides, getting-started guides, installation guides, or onboarding documentation. Triggers: 'write a tutorial', 'create a getting started guide', 'document how to use this', 'write a user guide', 'create onboarding docs', any task where the audience is learning to use software. Always load authoring-technical-docs first.
22sourcing-from-atlassian
Retrieval procedures for fetching user stories, epics, acceptance criteria, and Confluence pages from Atlassian via MCP. Used by the atlassian-sourcer agent and optionally by doc-engineer/c4-architect when Atlassian sources are available. Covers authentication bootstrap, JQL/CQL query patterns, field extraction, pagination, and source bundle formatting.
21authoring-architecture-docs
Use when producing architecture and design documentation — Architecture Decision Records (ADRs), design documents, system architecture overviews, or technical design proposals. Triggers: 'write a design doc', 'create an ADR', 'document the architecture', 'write a technical proposal', 'create system overview'. Always load authoring-technical-docs first.
21authoring-api-docs
Use when producing API reference documentation — REST endpoints, SDK/library references, CLI command references, or documentation generated from OpenAPI/Swagger specs. Triggers: 'document this API', 'generate API reference', 'write SDK docs', 'document these endpoints', any task involving source code with HTTP handlers, route definitions, or OpenAPI specs. Always load authoring-technical-docs first.
20