Secure Code Review

A structured, repeatable process for performing security-focused code review grounded in OWASP Application Security Verification Standard (ASVS) 4.0.3 and the CWE Top 25 Most Dangerous Software Weaknesses (2024 edition). This skill produces findings with traceable control IDs, severity ratings, and actionable remediation guidance.

Step 1: Scope and Language Identification

If a target is provided via arguments, focus the review on: $ARGUMENTS

Before examining any code, establish the review boundary.

1. Identify the languages and frameworks present in the changeset (Python, JavaScript/TypeScript, Go, Java, etc.).
2. Catalog the modules under review -- list every file path and its primary responsibility (route handler, data model, utility, middleware, configuration).
3. Determine trust boundaries -- mark where user-controlled data enters the system (HTTP parameters, headers, file uploads, message queues, environment variables).
4. Note dependencies -- third-party libraries that handle security-sensitive operations (auth libraries, ORM layers, crypto packages, templating engines).
5. Map ASVS sections to scope -- based on what the code does, select which ASVS chapters (V1 through V14) are applicable to this review.

Gate: Do not proceed until the language, trust boundaries, and applicable ASVS sections are documented. This prevents scope creep and ensures coverage.