review-security

📁 ssiumha/dots 📅 5 days ago

总安装量

周安装量

#72455

全站排名

安装命令

npx skills add https://github.com/ssiumha/dots --skill review-security

Agent 安装分布

opencode 2

claude-code 2

github-copilot 2

codex 2

kimi-cli 2

gemini-cli 2

Skill 文档

Security Review

Instructions

ë¦¬ë·° ë²ì ê²°ì

ì¬ì©ì ìì²ì ë°ë¼ ìí¬íë¡ì° ì í:

ë³ê²½ë íì¼ë§ ë¦¬ë·° (ê¸°ë³¸) – Git diff ê¸°ë°
í¹ì íì¼/ëë í ë¦¬ ë¦¬ë·° – ì¬ì©ì ì§ì ê²½ë¡
ì ì²´ íë¡ì í¸ ì¤ìº – ì´ê¸° ì¤ì , ì ê¸° ê°ì¬

Workflow 1: ë³ê²½ë íì¼ ë³´ì ë¦¬ë·° (ê¸°ë³¸)

git diff --name-only HEADë¡ ë³ê²½ íì¼ íì¸
ì½ë íì¼ íí°ë§ (.js, .ts, .py, .go ë±)
ê° íì¼ Read â ë³´ì ì²´í¬ë¦¬ì¤í¸ ì ì©
ì¬ê°ëë³ ë¦¬í¬í¸ ìì±

Workflow 2: í¹ì íì¼/ëë í ë¦¬ ë¦¬ë·°

Globì¼ë¡ ëì íì¼ íì¸
ê° íì¼ Read â ë³´ì ì²´í¬ë¦¬ì¤í¸ ì ì©
ë¦¬í¬í¸ ìì±

Workflow 3: ì ì²´ íë¡ì í¸ ì¤ìº

ì°ì ìì ëë í ë¦¬ ê²°ì : auth/, api/, config/
ìì°¨ ë¦¬ë·°, ì¬ê°í ì´ì ì¦ì ë³´ê³
ì¢í© ë¦¬í¬í¸

ë³´ì ì²´í¬ë¦¬ì¤í¸

ìì¸ í¨í´ì resources/ ì°¸ì¡°:

ì¬ê°ë	íëª©	ì°¸ì¡°
Critical	Hardcoded Credentials, SQL Injection, XSS, SSRF, Command Injection, Path Traversal	`01-critical-patterns.md`
High	CSRF, File Upload, Deserialization, Weak Crypto, JWT, Mass Assignment, Open Redirect	`02-high-patterns.md`
Medium	HTTPS, Error Exposure, Rate Limiting, Cookie Settings, Input Validation, XXE	`03-medium-low-patterns.md`
Low	CORS, Security Headers, Server Banner, Dependencies	`03-medium-low-patterns.md`

Secret íì§

ìë¹ì¤ë³ API í¤ í¨í´: 04-secret-patterns.md

ìë¹ì¤	í¨í´ ìì
AWS	`AKIA[0-9A-Z]{16}`
GitHub	`ghp_[A-Za-z0-9]{36}`
OpenAI	`sk-[A-Za-z0-9]{48}`, `sk-proj-[A-Za-z0-9-_]{48,}`
Anthropic	`sk-ant-[A-Za-z0-9-_]{95}`
Stripe	`sk_live_[0-9a-zA-Z]{24,}`

AI ìì± ì½ë ì£¼ìì

05-ai-code-security.md ì°¸ì¡°:

ë¹ catch ë¸ë¡
ìë ¥ ê²ì¦ ëë½
íëì½ë©ë ì¤ì ê°
ì¤ëë API ì¬ì©

ì¸ë¶ ëêµ¬ ì°ë

06-tool-integration.md ì°¸ì¡°:

# Semgrep (ê¶ì¥)
semgrep --config=p/owasp-top-ten .

# Secret scanning
gitleaks detect --source .

# Dependency check
npm audit  # Node.js
pip-audit  # Python

ì¸ì´ë³ í¹í í¨í´

07-language-specific.md ì°¸ì¡°:

ì¸ì´	ì£¼ì ìí
Python	pickle, eval, shell=True
JavaScript	XSS, prototype pollution
Go	text/template, SQL concat
Rust	unsafe blocks, unwrap
Java	deserialization, XXE

ë¦¬í¬í¸ íì

# Security Review Report

**Date:** YYYY-MM-DD
**Files:** N files
**Issues:** X Critical, Y High, Z Medium, W Low

---

## Critical Issues

### 1. [Issue Title]
**File:** `path/file.ts:42`
**Description:** ...
**Code:** `...`
**Fix:** ...
**Reference:** [OWASP Link]

---

## Summary
- Good practices: [list]
- Areas needing attention: [list]

ì¤ì ìì¹

False Positive ìµìí: íì¤í ì´ìë§ ë³´ê³
Context ê³ ë ¤: íì¤í¸ ì½ëë ìíë ê¸°ì¤
êµ¬ì²´ì ì ì: “ì´ë»ê² ê³ ì¹ëì§” ì ì
OWASP ì°¸ì¡°: ê³µì ë¬¸ì ë§í¬ ì ê³µ
ê¸ì ì í¼ëë°±: ìí ë¶ë¶ë ì¸ê¸

OWASP Top 10 (2021)

Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable Components
Authentication Failures
Data Integrity Failures
Logging Failures
Server-Side Request Forgery (SSRF)

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

review-security

Agent 安装分布

Skill 文档

Security Review

Instructions

ë¦¬ë·° ë²ì ê²°ì 

Workflow 1: ë³ê²½ë íì¼ ë³´ì ë¦¬ë·° (ê¸°ë³¸)

Workflow 2: í¹ì  íì¼/ëë í ë¦¬ ë¦¬ë·°

Workflow 3: ì ì²´ íë¡ì í¸ ì¤ìº

ë³´ì ì²´í¬ë¦¬ì¤í¸

Secret íì§

AI ìì± ì½ë ì£¼ìì 

ì¸ë¶ ëêµ¬ ì°ë

ì¸ì´ë³ í¹í í¨í´

ë¦¬í¬í¸ íì

ì¤ì ìì¹