Security

Systematic code review covering quality, security, performance, and architecture using PAL MCP. Use for pull request reviews, code audits, or pre-commit validation. Triggers on review requests, PR reviews, or code quality checks.

Plan and manage security evidence collection for compliance audits and assessments. Use this skill to identify required evidence, track collection status, and ensure audit readiness.

Full 9-phase workflow for complex features, epics, and security-critical changes (2-4 hours)

OAuth flows for user-context operations. Web application patterns, device flow for CLI tools, and token refresh strategies for GitHub Apps.

Эксперт ISO 27001. Используй для ISMS, security controls и compliance implementation.

WHEN: Deep AI-powered code analysis, multi-model code review, security scanning with Codex and GeminiWHAT: Comprehensive code review using external AI models with severity-based findings, deduplication, and secret detectionWHEN NOT: Simple lint checks -> code-reviewer, Quick security only -> security-scanner, Style formatting -> code-quality-checker

Authentication patterns including JWT, sessions, and OAuth. Use when implementing user authentication.

Code review criteria covering security, performance, quality standards, and issue prioritization for thorough code analysis.

Generate Content Security Policy (CSP) header configurations for web security. Triggers on "create csp header", "generate content security policy", "csp config", "security headers".

Reviews pull requests for compliance regressions. Scans code diffs for security and compliance violations, flags issues, and suggests fixes aligned with frameworks like SOC 2, ISO 27001, NIST 800-53.

Execute SQL queries against Snowflake data warehouse using Python connector. Supports password, key-pair, and SSO/OAuth authentication. Use for ad-hoc queries, data extraction, and schema exploration. Output in JSON, table, or CSV format.

セキュリティ観測。認可漏れ、インジェクション、機密漏えい、暗号誤用、依存脆弱性を検出。Use when: 認証/認可実装、外部入力処理、依存更新、コミット前チェック、セキュリティレビューして、脅威分析が必要な時。

Understanding the threat model for self-hosted GitHub Actions runners. GitHub-hosted vs self-hosted comparison and secure deployment patterns.

Use when working with Supabase database schemas, migrations, RLS policies, or PostGIS features. Enforces UUID standards, timestamp columns, and security best practices.

Implement JWT authentication with bcrypt password hashing, refresh tokens, account lockout, and password reset flow. Use when setting up authentication or login system.

Implement robust error handling with user-friendly messages, specific exception types, centralized error boundaries, and graceful degradation strategies. Use this skill when writing try-catch blocks, handling exceptions and errors, creating error messages for users, implementing error boundaries in React or other frameworks, validating input and checking preconditions, handling API errors and external service failures, implementing retry strategies with exponential backoff, cleaning up resources in finally blocks, designing graceful degradation for non-critical failures, or preventing technical details and security information from being exposed to users. Apply this skill when handling errors in any code file, implementing error recovery mechanisms, or reviewing error handling approaches for robustness and security.

Use this skill when you need to perform comprehensive security vulnerability assessments on a codebase. This skill launches the security-orchestrator agent to conduct systematic security reviews by breaking down the codebase into architectural units and performing deep security analysis.

.NET 코드에서 정적 분석(Static analysis), 보안 스캔(Security scan) 및 종속성 체크(Dependency check)를 수행합니다. 코드 품질, 보안 감사 또는 취약점 탐지가 포함된 작업에서 사용합니다.

Automated security scanning workflow using Semgrep MCP. Scans changed files for OWASP Top 10 vulnerabilities, CWE patterns, hardcoded secrets, and security misconfigurations. Returns prioritized findings with remediation guidance. Use when security validation is needed for code changes (invoked by security-engineer, code-quality-validator, or /audit command). Scans only changed files for efficiency (10-15s overhead).

Comprehensive TypeScript best practices including type imports, security patterns, code structure, and early returns. Use when writing TypeScript code, reviewing for quality, implementing error handling, or ensuring type safety.