security-reviewlisted

# Security Review This is a bundled local Bug Hunter companion skill. It packages a security-focused review workflow without introducing any external marketplace dependency. ## Purpose Use this skill for deeper security audits than a simple bug hunt, especially when the user wants: - a full security review - PR security validation - weekly security scanning - dependency reachability + code review together - threat-model-driven analysis ## Workflow 1. Ensure `.bug-hunter/threat-model.md` exists. - If missing, invoke the bundled `threat-model-generation` skill. 2. Determine the scan mode from the request: - PR → diff-scoped review via `commit-security-scan` - staged → staged-only security review - weekly → recent commit range on the default branch - full → full repository security audit 3. If dependency scanning is relevant, run: - `node scripts/dep-scan.cjs --target <path> --output .bug-hunter/dep-findings.json` 4. Scan code for STRIDE threats using Bug Hunter-native conventions. Reuse: - `.bug-hunter/triage.json` - `.bug-hunter/threat-model.md` - `.bug-hunter/security-config.json` - `.bug-hunter/dep-findings.json` 5. Validate severe findings using the bundled `vulnerability-validation` skill. 6. Produce structured outputs compatible with the Bug Hunter pipeline. ## Outputs Primary artifacts should stay inside `.bug-hunter/`: - `.bug-hunter/findings.json` - `.bug-hunter/referee.json` - `.bug-hunter/report.md` - `.bug-hunter/dep-find