gsd--security-reviewlisted
Install: claude install-skill alo-exp/silver-bullet
# GSD — Security Review
## When to Use
Mandatory step before shipping. Run the security quality dimension checklist against all changes.
## Steps
### Step 1: Identify Security-Touching Files
From REVIEW.md or git diff, list files that handle:
- Authentication/authorization
- Data persistence
- External API calls
- User input
- File operations
- Secrets management
### Step 2: Run Security Checklist
Check each security-touching file against the security quality dimension:
- Input validation on all boundaries
- Parameterized queries (no string concatenation)
- Proper output encoding
- Auth/authz checks on every endpoint
- No hardcoded secrets
- Secure defaults
### Step 3: Write SECURITY.md
```
# Security Review — Phase <N>
## Scope
<files reviewed>
## Findings
| ID | File | Issue | Severity | Status |
|----|------|-------|----------|--------|
| SEC-01 | | | | |
## Gate: PASS / FAIL
```
### Step 4: Fix Critical Findings
Any CRITICAL security issue must be fixed before proceeding. MAJOR/MINOR can be logged as technical debt.
## Exit Condition
SECURITY.md exists with Gate: PASS (or all CRITICAL findings fixed).