analyzing-code-security
Security Review Workflow
Follow these steps when conducting a manual security code review:
- Identify the attack surface. Determine entry points: API endpoints, message handlers, file parsers, user-facing forms. Read route definitions and controller registrations to build a map.
- Trace data flows from sources to sinks. Follow untrusted input (HTTP parameters, headers, request bodies, file uploads, external API responses) through all transformations to dangerous operations (database queries, command execution, HTML rendering, file system access).
- Check trust boundary crossings. At every point where data crosses a trust boundary (client→server, service→service, user input→database), verify that validation, authentication, and authorization are enforced.
- Apply framework checklists. Consult
references/framework-checklists.mdfor OWASP Web/API/Mobile Top 10 and CWE Top 25. Check each applicable category against the code under review. - Adopt an adversarial mindset. Form a hypothesis (e.g., "I can bypass SSO", "I can access another user's vault") and work backwards to determine what conditions would make it exploitable.
- Map findings to CWE IDs. Every finding must include the specific CWE identifier, the code location, and the data flow that makes it exploitable.
- Classify by practical exploitability. Distinguish between practically exploitable vulnerabilities and theoretical risks. Prioritize accordingly but document both.
Key Vulnerability Categories
The most frequently encountered categories across Bitwarden's stack:
- Injection (CWE-89, CWE-78, CWE-77) — Unsanitized input reaching SQL queries, OS commands, or LDAP queries. Always use parameterized queries and avoid string concatenation.
- Broken Access Control (CWE-862, CWE-287, CWE-306) — Missing authorization checks, IDOR, privilege escalation. Verify per-object ownership checks and role enforcement at every layer.
- XSS (CWE-79) — User input rendered in HTML without encoding. In Angular, avoid
innerHTMLandbypassSecurityTrust*with untrusted content.
More from bitwarden/ai-plugins
avoiding-false-positives
Use this skill to validate findings during a code review. For each finding, run the rejection criteria and verification checks. If a finding fails any check, drop it.
50retrospecting
Performs comprehensive analysis of Claude Code sessions, examining git history, conversation logs, code changes, and gathering user feedback to generate actionable retrospective reports with insights for continuous improvement.
49implementing-dapper-queries
Implementing Dapper repository methods and stored procedures for MSSQL at Bitwarden. Use when creating or modifying Dapper repositories, writing stored procedures, or working with MSSQL-specific data access in the server repo.
47classifying-review-findings
Use this skill when categorizing code review findings into severity levels. Apply when determining which emoji and label to use for PR comments, deciding if an issue should be flagged at all, or classifying findings as CRITICAL, IMPORTANT, DEBT, SUGGESTED, or QUESTION.
46posting-review-summary
Use this skill when posting the final summary comment after all inline comments are posted. Apply as the LAST step of code review after all findings are classified and inline comments are complete. Detects context (agent mode sticky comment, GitHub Actions MCP tool, or local file) and routes output accordingly.
44reviewing-claude-config
Reviews Claude configuration files for security, structure, and prompt engineering quality. Use when reviewing changes to CLAUDE.md files (project-level or .claude/), skills (SKILL.md), agents, prompts, commands, or settings. Validates YAML frontmatter, progressive disclosure patterns, token efficiency, and security best practices. Detects critical issues like committed settings.local.json, hardcoded secrets, malformed YAML, broken file references, oversized skill files, and insecure agent tool access.
44