---

name: security-review description: Review code for security vulnerabilities including OWASP Top 10, dependency issues, and authentication flaws. Use when reviewing security-sensitive code, checking PRs with auth changes, or auditing endpoints.

Security Code Review

When reviewing code for security, systematically check:

1. Injection (OWASP A03)

• SQL injection: parameterized queries only
• XSS: output encoding, CSP headers
• Command injection: no shell execution with user input
• Path traversal: validate file paths

2. Authentication & Authorization (OWASP A01, A07)

• Auth checks on every protected endpoint
• Session management (secure cookies, expiry)
• Password storage (bcrypt/argon2, never plain text)
• API key handling (never in URLs or logs)

3. Data Exposure (OWASP A02)

• PII not logged
• Sensitive data encrypted at rest
• API responses don't leak internal details
• Error messages don't expose stack traces

4. Dependencies

• Known vulnerabilities (check npm audit / pip audit)
• Outdated packages with security patches
• Supply chain risks (typosquatting, compromised packages)

5. Configuration

• Secrets not in code or config files
• HTTPS enforced
• CORS properly configured
• Rate limiting on auth endpoints

Report format: Use severity 🔴 Critical / 🟡 Warning / 🔵 Info