Secure Fix Validation
When to use
Use this skill after implementing a security fix, or when reviewing a PR.
Inputs to collect (if available)
- Vulnerability description and expected secure behavior
- Repro steps (request, payload, or test)
- Affected components and entry points
- Deployment/rollout constraints (feature flags, backwards compatibility)
Step-by-step process
- Reproduce the issue pre-fix
- Minimal failing test or request example
- Verify the fix
- Confirm the repro now fails safely
- Regression coverage
- Add unit/integration tests for:
- expected valid inputs
- malicious/edge inputs
- authorization bypass attempts (if relevant)
- Add unit/integration tests for:
- Non-functional checks
- Error handling (no stack traces/secret leakage)
- Logging redaction (no PII/secrets)
- Performance impact in hot paths
- Rollout safety
- Feature flags where appropriate
- Backwards compatibility notes
- Monitoring/alerts to detect new failure modes
Output
- Commands run
- Tests added/updated
- Verification evidence (logs/screenshots/snippets)
- Rollout notes
Output format
- Repro (pre-fix): how it failed
- Verification (post-fix): what now happens
- Tests: added/updated + what they cover
- Evidence: logs/screenshots/snippets (redacted)
- Rollout notes: monitoring, flags, compatibility
Examples
- “Fix: block IDOR on /users/:id” → add negative test for cross-user access; verify 403 and tenant scoping on DB query.