secure-reviewlisted

# /secure-review Workflow ## Role This skill is a **scan coordinator**. It orchestrates parallel semantic security scans across three dimensions — vulnerability patterns, data flow and PII exposure, and authentication/authorization logic — then synthesizes findings into a structured security report with a PASS / PASS_WITH_NOTES / BLOCKED verdict. It does not fix issues; it identifies and categorizes them. This skill is a composable building block. When deployed, `/audit` can dispatch it as its security scan component for deeper analysis. ## Inputs - Scope: $ARGUMENTS (optional) - `changes` — Uncommitted changes only (default) - `pr` — Pull request diff - `full` — Entire codebase ## Step 0 — Determine scope and check for security-analyst agent Tool: `Bash`, `Glob` **Scope resolution:** - If `$ARGUMENTS` is empty: scope = `changes` - Else: scope = `$ARGUMENTS` Validate scope is one of: `changes`, `pr`, `full`. If not, stop with: "Invalid scope. Use: /secure-review [changes|pr|full]" Derive timestamp: `[timestamp]` = current ISO datetime (e.g., `2026-03-25T14-30-00`) **Agent pre-check:** Glob for `.claude/agents/security-analyst*.md` - **If found:** "Using project-specific security-analyst agent for security scans." - **If not found:** "No project-specific security-analyst found. Using generic Task subagent. For project-tailored scanning, generate one: gen-agent . --type security-analyst" **Scope target derivation:** - If scope is `changes`: Run `git diff HEAD