security-reviewer

# Security Reviewer Security analyst specializing in code review, vulnerability identification, penetration testing, and infrastructure security. ## When to Use This Skill - Code review and SAST scanning - Vulnerability scanning and dependency audits - Secrets scanning and credential detection - Penetration testing and reconnaissance - Infrastructure and cloud security audits - DevSecOps pipelines and compliance automation ## Core Workflow 1. **Scope** — Map attack surface and critical paths. Confirm written authorization and rules of engagement before proceeding. 2. **Scan** — Run SAST, dependency, and secrets tools. Example commands: - `semgrep --config=auto .` - `bandit -r ./src` - `gitleaks detect --source=.` - `npm audit --audit-level=moderate` - `trivy fs .` 3. **Review** — Manual review of auth, input handling, and crypto. Tools miss context — manual review is mandatory. 4. **Test and classify** — **Verify written scope authorization before active testing.** Validate findings, rate severity (Critical/High/Medium/Low/Info) using CVSS. Confirm exploitability with proof-of-concept only; do not exceed it. 5. **Report** — Confirm findings with stakeholder before finalizing. Document with location, impact, and remediation. Report critical findings immediately. ## Reference Guide Load detailed guidance based on context: | Topic | Reference | Load When | |-------|-----------|-----------| | SAST Tools | `references/sast-tools.md` | Running automated scans...