← ClaudeAtlas

saas-code-security-reviewlisted

Application-code security review for SaaS backends focusing on authentication, authorization, IDOR/BOLA, SSRF, JWT handling, injection (SQL/NoSQL/command/template), deserialization, mass assignment, and SAST findings. Multi-stack (Node/TypeScript, Python, Go, Java, Ruby). Use this skill whenever the user asks to review code for security bugs, find IDOR or BOLA vulnerabilities, audit auth flows, check JWT validation, look for SSRF, hunt for injection, review session management, or interpret SAST output from CodeQL/Semgrep/Snyk Code. Trigger on phrases like 'review this code for security', 'find IDOR', 'is my JWT validation safe', 'SSRF check', 'SAST report', 'auth bypass', 'BOLA', 'audit my auth', 'session security'. Use this when the user shares a code file and security context.
hlsitechio/claude-skills-security · ★ 1 · Data & Documents · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# SaaS Code Security Review Find application-layer vulnerabilities in SaaS backend code: authentication flows, authorization checks, request handling, and trust boundaries. Defensive (find & fix) focus. ## When this skill applies - Reviewing source code (a PR diff, a specific file, or a directory) for security bugs - Interpreting and triaging SAST output (CodeQL, Semgrep, Snyk Code, Sonar) - Walking an auth flow looking for bypass paths - Checking JWT issuance and validation correctness - Hunting for IDOR / BOLA in REST or GraphQL endpoints Use other skills for: backend RLS/database (`supabase-security-audit`), API surface concerns like rate limiting and CORS (`saas-api-security`), tenant-isolation focus (`saas-tenant-isolation`). ## Workflow Follow `../_shared/audit-workflow.md`. Skill-specific notes below. ### Phase 1: Scope confirmation - Language and framework (informs which patterns to look for) - Auth model (sessions? JWT? both?) - Database tech (informs injection patterns) - Whether this is a PR review (smaller scope, recent diff) or a directory audit (broader) ### Phase 2: Inventory - Identify entry points: HTTP route handlers, GraphQL resolvers, gRPC services, message queue consumers, CLI commands, scheduled jobs. - Identify trust boundaries: where user input enters, where it crosses to the database, where it leaves to other services. - Identify auth/authz code: middleware, decorators, policy functions, RBAC tables. - Note any auto-generated boilerplate (of