Back to Details

security-review

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Review

安全审查

When to use

使用场景

  • Use for a full codebase security review with prioritized findings, remediation guidance, and a formal report.
  • 适用于包含优先级排序问题、修复指导及正式报告的全代码库安全审查。

Inputs

输入项

  • Target repository path (first argument after invocation).
    • Example: 
      $security-review /path/to/repo
  • Security knowledge base source:
    • Rules are sourced from Project CodeGuard, an open-source, model-agnostic security framework by CoSAI/OASIS.
If the repo path is missing or unclear, ask the user for it before proceeding.
  • 目标代码仓库路径(调用后的第一个参数)。
    • 示例:
      $security-review /path/to/repo
  • 安全知识库来源:
    • 规则源自Project CodeGuard,这是由CoSAI/OASIS开发的开源、与模型无关的安全框架。
如果仓库路径缺失或不明确,请在开始前向用户确认。

Workflow

工作流

  1. Load the security knowledge base from Project CodeGuard
    • First read the 
      Security_Code_Reviewer_Guidelines.md
      file bundled with this skill. Use its purpose and rule-loading strategy to guide the review.
    • Load all core security rules from Project CodeGuard:
      text
      https://github.com/cosai-oasis/project-codeguard/tree/main/sources/core
      These are mandatory foundational rules that must be loaded for every review.
    • Load relevant OWASP rules for the detected tech stack from:
      text
      https://github.com/cosai-oasis/project-codeguard/tree/main/sources/owasp
      Only load OWASP rules that match the target repository's technology stack.
  2. Perform deep code analysis
    • Review the repository line by line.
    • Focus on: injection flaws, authn/authz, hardcoded secrets, crypto misuse, SSRF, path traversal, RCE vectors, XSS/CSRF, unsafe deserialization, insecure defaults/configuration, and supply chain issues.
  3. Produce the report in markdown.
  1. 从Project CodeGuard加载安全知识库
    • 首先读取此技能附带的
      Security_Code_Reviewer_Guidelines.md
      文件,以其目标和规则加载策略指导审查工作。
    • 从Project CodeGuard加载所有核心安全规则:
      text
      https://github.com/cosai-oasis/project-codeguard/tree/main/sources/core
      这些是每次审查都必须加载的强制基础规则。
    • 从以下路径加载与检测到的技术栈相关的OWASP规则:
      text
      https://github.com/cosai-oasis/project-codeguard/tree/main/sources/owasp
      仅加载与目标代码仓库技术栈匹配的OWASP规则。
  2. 执行深度代码分析
    • 逐行审查代码仓库。
    • 重点关注:注入漏洞、身份验证/授权、硬编码密钥、加密误用、SSRF、路径遍历、RCE攻击向量、XSS/CSRF、不安全反序列化、不安全默认配置以及供应链问题。
  3. 生成Markdown格式的报告。

Report requirements

报告要求

  • Executive Summary
    • Total findings by severity (Critical/High/Medium/Low/Info)
    • Top 5 most critical issues
    • Overall security posture
  • Detailed Findings (for each issue)
    • Title, Severity, Rule Reference(s), Location, Code Snippet
    • Description, Impact, Remediation (with examples), References
  • Findings by Category
  • Recommendations
    • Immediate actions, short-term (1-3 months), long-term improvements, tooling/process suggestions
  • Appendix
    • Files reviewed, rules applied/coverage, methodology notes
  • 执行摘要
    • 按严重程度(Critical/High/Medium/Low/Info)分类的问题总数
    • 前5个最严重的问题
    • 整体安全状况
  • 详细问题说明(针对每个问题)
    • 标题、严重程度、规则引用、位置、代码片段
    • 描述、影响、修复方案(含示例)、参考资料
  • 按类别分类的问题
  • 建议
    • 立即执行的操作、短期(1-3个月)改进措施、长期优化方案、工具/流程建议
  • 附录
    • 已审查文件、已应用规则/覆盖范围、方法论说明

Output

输出

  • Save the report to: 
    • ./security_report/sec_review_<repo-name>_<YYYY-MM-DD_HH-mm-ss>.md
    • Use the target repo folder name for 
      <repo-name>
      and replace spaces with 
      -
      .
    • Write to the 
      security_report
      folder in the current working directory.
  • 将报告保存至: 
    • ./security_report/sec_review_<repo-name>_<YYYY-MM-DD_HH-mm-ss>.md
    • 使用目标仓库文件夹名称作为
      <repo-name>
      ,并将空格替换为
      -
    • 写入当前工作目录下的
      security_report
      文件夹。