security-reviewer
Identifies security vulnerabilities, generates structured audit reports with severity ratings, and provides actionable remediation guidance.
- Conducts SAST scans, dependency audits, secrets scanning, and manual code review across authentication, input handling, and cryptography
- Supports penetration testing, infrastructure security audits, and cloud security reviews with scope verification and rules of engagement enforcement
- Produces severity-rated findings (Critical/High/Medium/Low/Info) using CVSS scoring, with specific file locations, impact analysis, and remediation steps
- Integrates reference guides for vulnerability patterns, secret detection, penetration testing methodology, and compliance frameworks (OWASP Top 10, CWE, SOC2, ISO27001)
Security Reviewer
Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security.
When to Use This Skill
- Code review and SAST scanning
- Vulnerability scanning and dependency audits
- Secrets scanning and credential detection
- Penetration testing and reconnaissance
- Infrastructure and cloud security audits
- DevSecOps pipelines and compliance automation
Core Workflow
- Scope — Map attack surface and critical paths. Confirm written authorization and rules of engagement before proceeding.
- Scan — Run SAST, dependency, and secrets tools. Example commands:
semgrep --config=auto .bandit -r ./src
More from jeffallan/claude-skills
laravel-specialist
Build and configure Laravel 10+ applications, including creating Eloquent models and relationships, implementing Sanctum authentication, configuring Horizon queues, designing RESTful APIs with API resources, and building reactive interfaces with Livewire. Use when creating Laravel models, setting up queue workers, implementing Sanctum auth flows, building Livewire components, optimising Eloquent queries, or writing Pest/PHPUnit tests for Laravel features.
13.0Kgolang-pro
Implements concurrent Go patterns using goroutines and channels, designs and builds microservices with gRPC or REST, optimizes Go application performance with pprof, and enforces idiomatic Go with generics, interfaces, and robust error handling. Use when building Go applications requiring concurrent programming, microservices architecture, or high-performance systems. Invoke for goroutines, channels, Go generics, gRPC integration, CLI tools, benchmarks, or table-driven testing.
12.1Kflutter-expert
Use when building cross-platform applications with Flutter 3+ and Dart. Invoke for widget development, Riverpod/Bloc state management, GoRouter navigation, platform-specific implementations, performance optimization.
10.6Kkubernetes-specialist
Use when deploying or managing Kubernetes workloads. Invoke to create deployment manifests, configure pod security policies, set up service accounts, define network isolation rules, debug pod crashes, analyze resource limits, inspect container logs, or right-size workloads. Use for Helm charts, RBAC policies, NetworkPolicies, storage configuration, performance optimization, GitOps pipelines, and multi-cluster management.
9.1Kphp-pro
Use when building PHP applications with modern PHP 8.3+ features, Laravel, or Symfony frameworks. Invokes strict typing, PHPStan level 9, async patterns with Swoole, and PSR standards. Creates controllers, configures middleware, generates migrations, writes PHPUnit/Pest tests, defines typed DTOs and value objects, sets up dependency injection, and scaffolds REST/GraphQL APIs. Use when working with Eloquent, Doctrine, Composer, Psalm, ReactPHP, or any PHP API development.
8.9Kspring-boot-engineer
Generates Spring Boot 3.x configurations, creates REST controllers, implements Spring Security 6 authentication flows, sets up Spring Data JPA repositories, and configures reactive WebFlux endpoints. Use when building Spring Boot 3.x applications, microservices, or reactive Java applications; invoke for Spring Data JPA, Spring Security 6, WebFlux, Spring Cloud integration, Java REST API design, or Microservices Java architecture.
5.6K