Security Review
Use this skill when a code change touches security-sensitive areas.
When to Trigger
- Authentication or authorization logic is added or modified.
- Cryptographic operations are introduced or changed.
- Secrets, tokens, or credentials are handled.
- External APIs or network boundaries are affected.
- User input handling or validation is changed.
- Dependencies are added or updated.
Checklist
Cryptography & Compliance
- Only FIPS-validated algorithms used (AES, SHA-256/384/512, TLS 1.2+)
- No non-compliant primitives (MD5, RC4, non-FIPS RNGs)
- Encryption at rest and in transit for sensitive data
Authentication & Authorization
- Zero-trust applied: every request authenticated and authorized
- Least privilege enforced for all roles and service accounts
- No hardcoded credentials, tokens, or keys
- Secrets sourced from secret manager or environment injection
Input & Interface
- All external inputs validated and sanitized
- OWASP Top 10 considered for web-facing changes
- API surface deliberately designed (Hyrum's Law)
Dependencies
- New dependencies justified (not available in stdlib?)
- Versions pinned, checksums verified
- Transitive dependencies audited
- License compatibility confirmed
Observability
- Security-relevant events logged (auth failures, access denials, config changes)
- No secrets or PII in logs
- Audit trail traceable
Output
Document which items were reviewed and their status. If any items are not applicable, note why.