Agent SkillsAgent Skills
violetio

security-review

@violetio/security-review
violetio
0
0 forks
Updated 4/6/2026
View on GitHub

Security Review: Security review with blocking authority for critical vulnerabilities

Installation

$npx agent-skills-cli install @violetio/security-review
Claude Code
Cursor
Copilot
Codex
Antigravity

Details

Repositoryvioletio/violet-ai-plugins
Patharchive/plugins-2025-12-30/v-security-review/skills/security-review/SKILL.md
Branchmain
Scoped Name@violetio/security-review

Usage

After installing, this skill will be available to your AI coding assistant.

Verify installation:

npx agent-skills-cli list

Skill Instructions

name: Security Review description: Security review with blocking authority for critical vulnerabilities

Security Review Skill

Protect Violet codebases from security vulnerabilities through dedicated security review.

Authority: BLOCKING for Critical/High severity findings

Overview

The Security Review skill provides comprehensive security review with blocking authority for critical vulnerabilities. Tech Lead cannot override security blocks - issues must be fixed.

Key Principle: Security is not optional. Critical vulnerabilities MUST be fixed before code merges.

When to Use

MANDATORY Invocation:

  • Tech Lead agent MUST invoke before approving any PR
  • Cannot be skipped or bypassed
  • Required for all code changes, regardless of size

Additional Invocations:

  • When PR feedback extraction identifies security issues
  • When new security standards are added
  • When security incident requires code audit

Commands

CommandPurpose
/v-security-review:reviewRun security checklist and generate report
/v-security-review:overrideOverride with logged justification

Severity Levels

Critical (BLOCKS MERGE)

Definition: Vulnerabilities that pose immediate, severe risk

VulnerabilityExampleImpact
Secrets in codeAPI keys, passwords, tokens hardcodedImmediate credential exposure
SQL InjectionUser input in raw SQL queriesDatabase compromise
XSSUnescaped user content in HTMLAccount takeover
Unencrypted PIISSN, credit cards in logs/storageCompliance violation
Authentication bypassMissing auth checksUnauthorized access
Authorization bypass (IDOR)No resource ownership validationData exposure
Remote code executionUnsafe deserialization, eval()Full system compromise
Cryptographic failuresWeak algorithms, hardcoded keysData exposure

Action: BLOCK merge until fixed and re-reviewed

High (BLOCKS MERGE)

Definition: Significant vulnerabilities requiring immediate attention

VulnerabilityExampleImpact
Missing input validationNo validation on user inputInjection attacks
Insecure dependenciesKnown CVEs in dependenciesExploitable vulnerabilities
Weak authenticationNo rate limiting, weak passwordsAccount compromise
Information disclosureError messages expose system detailsAids attackers
Missing HTTPSSensitive data over HTTPMan-in-the-middle attacks
Session fixationSession ID not regeneratedSession hijacking

Action: BLOCK merge until fixed and re-reviewed

Medium (ADVISORY)

Definition: Issues that should be fixed but don't block merge

IssueExampleRecommendation
Missing security headersNo CSP, X-Frame-OptionsAdd headers
Verbose error messagesStack traces to usersGeneric messages
Insufficient loggingNo audit trailAdd security logging
Rate limiting gapsSome endpoints not limitedAdd rate limits
Outdated dependenciesNon-CVE outdated packagesUpdate dependencies

Action: ADVISE fix, tech-lead decides if blocks

Low (INFORMATIONAL)

Definition: Minor issues or best practices

IssueExample
Security through obscurityHiding functionality as security
Missing commentsComplex security logic uncommented
Inconsistent patternsDifferent auth approaches

Action: INFORM only, does not block

Security Checklist Categories

Input Validation

  • All user input validated (type, length, format, range)
  • Allowlists used over denylists
  • Server-side validation (not just client-side)
  • Input sanitized before use

Authentication

  • Authentication required for sensitive endpoints
  • Strong password requirements enforced
  • Rate limiting on auth endpoints
  • Secure session management

Authorization

  • Authorization checked on every request
  • Principle of least privilege applied
  • Object-level permissions verified (IDOR prevention)
  • No client-provided role/permission trust

Data Protection

  • Sensitive data encrypted at rest
  • TLS 1.2+ for all connections
  • Sensitive data not in logs
  • Sensitive data not in URLs

Secrets Management

  • No secrets hardcoded in code
  • AWS Parameter Store or similar used
  • No credentials in environment variables
  • No API keys in client-side code

SQL Injection Prevention

  • Parameterized queries used
  • No string concatenation in queries
  • No dynamic table/column names from user input
  • ORM used correctly

XSS Prevention

  • User content escaped before rendering
  • Appropriate output encoding
  • CSP headers set
  • No innerHTML with user content

Security Override Process

CRITICAL: Overrides are logged to violet-brain/security-overrides/ for audit.

When engineer/tech-lead believes block is incorrect:

  1. User requests: "Override security block for PR #123"
  2. Agent prompts for justification
  3. Override document generated and committed
  4. Security team reviews monthly

Override document location: violet-brain/security-overrides/YYYY-MM-DD-pr-{number}-override.md

Reference Files

FilePurpose
violet-brain/standards/sec-priv/code-security.mdComplete security standards
violet-brain/docs/sec-priv/quick-reference.mdOne-page checklist
violet-brain/agents/references/security-reviewer.mdSecurity reviewer criteria

Skill Version: 1.0.0

More by violetio

View all
onboarding-agent
0

Customer onboarding specialist

partnership-manager
0

Partnership development and management

assistant
0

Personal assistant for daily routines, task management, and productivity

requirements-analyst
0

Gathers, refines, and documents requirements from Discovery outputs