security-review
Systematic security code review identifying high-confidence vulnerabilities with data-flow verification.
- Focuses exclusively on HIGH CONFIDENCE findings: vulnerable patterns with confirmed attacker-controlled input, skipping theoretical issues and framework-mitigated code
- Requires codebase research before reporting: traces data flow, checks for validation/sanitization, and verifies exploitability rather than pattern-matching alone
- Covers 14 vulnerability categories (injection, XSS, authorization, cryptography, deserialization, SSRF, and more) with language-specific guides for Python, JavaScript, Go, Rust, and Java
- Distinguishes server-controlled values (settings, env vars, hardcoded constants) from attacker-controlled input to eliminate false positives
- Reports findings with severity classification (Critical/High/Medium/Low), location, impact, evidence, and remediation guidance
Security Review Skill
Identify exploitable security vulnerabilities in code. Report only HIGH CONFIDENCE findings—clear vulnerable patterns with attacker-controlled input.
Scope: Research vs. Reporting
CRITICAL DISTINCTION:
- Report on: Only the specific file, diff, or code provided by the user
- Research: The ENTIRE codebase to build confidence before reporting
Before flagging any issue, you MUST research the codebase to understand:
- Where does this input actually come from? (Trace data flow)
- Is there validation/sanitization elsewhere?
More from getsentry/skills
code-simplifier
Simplifies and refines code for clarity, consistency, and maintainability while preserving all functionality. Use when asked to "simplify code", "clean up code", "refactor for clarity", "improve readability", or review recently modified code for elegance. Focuses on project-specific best practices.
4.4Kfind-bugs
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
2.4Kagents-md
Creates and maintains concise AGENTS.md and CLAUDE.md project instruction files. Use when asked to create AGENTS.md, update AGENTS.md, maintain agent docs, set up CLAUDE.md, document repository agent conventions, or keep coding-agent instructions minimal and reference-backed.
2.3Kcode-review
Perform code reviews following Sentry engineering practices. Use when reviewing pull requests, examining code changes, or providing feedback on code quality. Covers security, performance, testing, and design review.
2.2Kcommit
ALWAYS use this skill when committing code changes — never commit directly without it. Creates commits following Sentry conventions with proper conventional commit format and issue references. Trigger on any commit, git commit, save changes, or commit message task.
2.0Kiterate-pr
Iterate on a PR until CI passes. Use when you need to fix CI failures, address review feedback, or continuously push fixes until all checks are green. Automates the feedback-fix-push-wait cycle.
1.9K