Differential Security Review

Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.

5 stars

Best use case

Differential Security Review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.

Teams using Differential Security Review should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/differential-security-review/SKILL.md --create-dirs "https://raw.githubusercontent.com/BasharAmso/Bashi/main/create-bashi-app/template/custom-skills/differential-security-review/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/differential-security-review/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Differential Security Review Compares

Feature / AgentDifferential Security ReviewStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Security-focused review of code changes using git diff analysis. Identifies security implications of recent modifications — new attack surfaces, removed protections, changed auth logic, and risky refactors. Complements SKL-0016 (Code Review) with a security lens on diffs.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# Skill: Differential Security Review

## Metadata

| Field | Value |
|-------|-------|
| **Skill ID** | SKL-0030 |
| **Version** | 1.0 |
| **Owner** | reviewer |
| **Inputs** | Git diff, STATE.md, DECISIONS.md |
| **Outputs** | Differential security report, STATE.md updated |
| **Triggers** | `DIFF_SECURITY_REVIEW_REQUESTED` |

---

## Purpose

Review code *changes* (not the full codebase) through a security lens. Every diff is a potential new attack surface. This skill identifies security implications of recent modifications — things a standard code review misses because it focuses on correctness, not security.

Inspired by [Trail of Bits' differential-review skill](https://github.com/trailofbits/skills).

> **See also:** For full codebase security audit, see SKL-0015 (Security Audit).

---

## Procedure

### Step 1 — Collect the Diff

Determine the diff scope:
1. If a branch is specified: `git diff main...HEAD`
2. If staged changes exist: `git diff --cached`
3. Otherwise: `git diff` (unstaged changes)
4. If no changes found: report "No changes to review" and stop

List all modified files and categorize by risk:

| File Category | Risk Level | Examples |
|---------------|-----------|---------|
| Auth/session handling | HIGH | `auth/`, `middleware/`, `session/`, `*auth*`, `*login*` |
| API endpoints | HIGH | `routes/`, `api/`, `controllers/` |
| Database queries | HIGH | `*model*`, `*query*`, `*migration*` |
| Configuration | MEDIUM | `config/`, `.env*`, `docker-compose*` |
| Input handling | MEDIUM | `*form*`, `*input*`, `*validation*` |
| UI rendering | MEDIUM | `*template*`, `*component*` (XSS risk) |
| Tests | LOW | `test/`, `spec/`, `__tests__/` |
| Documentation | LOW | `docs/`, `*.md` |

### Step 2 — Analyze Security-Sensitive Changes

For each HIGH and MEDIUM risk file, examine the diff for:

**Added code:**
- New API endpoints without authentication checks
- New database queries (SQL injection surface)
- New user input handling without validation
- New file upload or download functionality
- New external service calls without error handling
- New environment variable reads without defaults

**Removed code:**
- Removed authentication or authorization checks
- Removed input validation or sanitization
- Removed rate limiting
- Removed encryption or hashing
- Removed CSRF/XSS protections
- Removed error handling around security-sensitive operations

**Changed code:**
- Modified auth logic (any change to who-can-access-what)
- Changed encryption algorithms or key handling
- Weakened validation rules
- Changed session management
- Modified CORS or CSP policies

### Step 3 — Cross-Reference Decisions

Read DECISIONS.md to check if any security-relevant changes were intentional and documented. If a change looks risky but has a documented decision, note it as "Acknowledged risk" rather than a finding.

### Step 4 — Generate Report

For each finding:
- **File and diff context** (the specific lines changed)
- **Risk category** (new surface / removed protection / weakened control)
- **Severity** (CRITICAL / HIGH / MEDIUM / LOW)
- **Before vs. After** (what changed and why it matters)
- **Recommendation** (keep, revert, or mitigate)

### Step 5 — Update STATE.md

Record review completion, files analyzed, and severity summary.

---

## Constraints

- Read-only analysis — does not modify source files
- Reviews diffs only, not the entire codebase (use SKL-0015 for full audits)
- Does not fix issues — provides actionable recommendations
- If no security-relevant changes are found, say so explicitly (a clean diff review is a valid result)

---

## Primary Agent

reviewer

---

## Definition of Done

- [ ] Diff scope determined and all changed files categorized by risk
- [ ] All HIGH and MEDIUM risk files analyzed for security implications
- [ ] Added, removed, and changed code examined separately
- [ ] Cross-referenced with DECISIONS.md for intentional changes
- [ ] Each finding has file, diff context, severity, and recommendation
- [ ] STATE.md updated

## Output Contract

| Field | Value |
|-------|-------|
| **Artifacts** | Differential security report (findings with severity and recommendations) |
| **State Update** | `.claude/project/STATE.md` — mark task complete, log files analyzed and severity summary |
| **Handoff Event** | `TASK_COMPLETED` (security review complete) |

Related Skills

Security Audit

5
from BasharAmso/Bashi

Audit code and dependencies for security vulnerabilities. Use this skill when a security review is requested, including OWASP checks, secrets scanning, and dependency audits.

Quality Review

5
from BasharAmso/Bashi

Review code, content, or deliverables for quality, clarity, and correctness. Adapts review criteria based on artifact type (code, documentation, PRD, design, configuration). Use this skill when a quality review has been requested on completed work.

Code Review

5
from BasharAmso/Bashi

Review code for correctness, maintainability, and best practices. Uses a structured two-pass review (CRITICAL then INFORMATIONAL) with interactive issue resolution. Includes scope challenge, failure mode analysis, and TODOS.md cross-reference. Use this skill when a code review is requested on new or modified code.

Supply Chain Audit

5
from BasharAmso/Bashi

Audit the dependency supply chain for security risks beyond what `npm audit` or `pip audit` catches. Analyzes dependency health, maintainer trust signals, typosquatting risk, and transitive dependency exposure.

SEO Audit

5
from BasharAmso/Bashi

Audit web pages for search engine optimization: meta tags, heading hierarchy, structured data, image optimization, mobile-friendliness, and content quality. Complements SKL-0013 (Growth & Distribution) by validating what was built.

Pitch Deck

5
from BasharAmso/Bashi

Create a structured pitch deck outline for investors, stakeholders, or partners. Covers problem, solution, market, traction, team, and ask. Natural output after PRD + Problem Stress Test validation.

Launch Checklist

5
from BasharAmso/Bashi

Pre-launch validation covering everything deployment (SKL-0021) doesn't: analytics, error tracking, social meta, legal pages, email setup, DNS, SSL, and go-live readiness. Produces a launch readiness report with pass/fail checklist. Use this skill before going live on any project.

Insecure Defaults Detection

5
from BasharAmso/Bashi

Detect insecure default configurations, hardcoded credentials, fail-open security patterns, and dangerous default values in application code and configuration files. Complements SKL-0015 (Security Audit) by focusing on configuration-level vulnerabilities that dependency scanners miss.

Copywriting

5
from BasharAmso/Bashi

Write conversion-focused copy using proven frameworks (AIDA, PAS, BAB). Produces headlines, CTAs, landing page copy, email sequences, and micro-copy. Ensures copy matches brand voice and target audience.

Competitor Analysis

5
from BasharAmso/Bashi

Structured competitor research: features, pricing, positioning, gaps, and differentiation strategy. Feeds into PRD Writing (SKL-0004) and Problem Stress Test (SKL-0027) with better market context.

UX Design

5
from BasharAmso/Bashi

Design user experiences including wireframes, flows, and interaction patterns. Use this skill when UX design work is requested, including onboarding flows and interface layouts.

User Acceptance Testing

5
from BasharAmso/Bashi

Structured QA testing with four modes: diff-aware (auto-scoped to branch changes), full (systematic exploration), quick (30-second smoke test), and regression (compare against baseline). Produces health score, structured reports, and actionable bug lists. Use this skill when UAT is requested or a feature is ready for acceptance testing.