Security Review

Use this skill when a code change touches security-sensitive areas.

When to Trigger

• Authentication or authorization logic is added or modified.
• Cryptographic operations are introduced or changed.
• Secrets, tokens, or credentials are handled.
• External APIs or network boundaries are affected.
• User input handling or validation is changed.
• Dependencies are added or updated.

Checklist

Cryptography & Compliance

• Only FIPS-validated algorithms used (AES, SHA-256/384/512, TLS 1.2+)
• No non-compliant primitives (MD5, RC4, non-FIPS RNGs)
• Encryption at rest and in transit for sensitive data

Authentication & Authorization

• Zero-trust applied: every request authenticated and authorized
• Least privilege enforced for all roles and service accounts
• No hardcoded credentials, tokens, or keys
• Secrets sourced from secret manager or environment injection

Input & Interface

• All external inputs validated and sanitized
• OWASP Top 10 considered for web-facing changes
• API surface deliberately designed (Hyrum's Law)

Dependencies

• New dependencies justified (not available in stdlib?)
• Versions pinned, checksums verified
• Transitive dependencies audited
• License compatibility confirmed

Observability

• Security-relevant events logged (auth failures, access denials, config changes)
• No secrets or PII in logs
• Audit trail traceable

Output

Document which items were reviewed and their status. If any items are not applicable, note why.