arch-security-review
Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection.
Best use case
arch-security-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection.
Teams using arch-security-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/arch-security-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How arch-security-review Compares
| Feature / Agent | arch-security-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Review Workflow
## When to Use This Skill
- Security audit of code changes
- Implementing authentication/authorization
- Data protection review
- Vulnerability assessment
## Pre-Flight Checklist
- [ ] Identify security-sensitive areas
- [ ] Review OWASP Top 10 relevance
- [ ] Check for existing security patterns
- [ ] Plan remediation approach
## OWASP Top 10 Checklist
### 1. Broken Access Control
```csharp
// :x: VULNERABLE - No authorization check
[HttpGet("{id}")]
public async Task<Employee> Get(string id)
=> await repo.GetByIdAsync(id);
// :white_check_mark: SECURE - Authorization enforced
[HttpGet("{id}")]
[PlatformAuthorize(Roles.Manager, Roles.Admin)]
public async Task<Employee> Get(string id)
{
var employee = await repo.GetByIdAsync(id);
// Verify access to this specific resource
if (employee.CompanyId != RequestContext.CurrentCompanyId())
throw new UnauthorizedAccessException();
return employee;
}
```
### 2. Cryptographic Failures
```csharp
// :x: VULNERABLE - Storing plain text secrets
var apiKey = config["ApiKey"];
await SaveToDatabase(apiKey);
// :white_check_mark: SECURE - Encrypt sensitive data
var encryptedKey = encryptionService.Encrypt(apiKey);
await SaveToDatabase(encryptedKey);
// Use secure configuration
var apiKey = config.GetValue<string>("ApiKey"); // From Azure Key Vault
```
### 3. Injection
```csharp
// :x: VULNERABLE - SQL Injection
var sql = $"SELECT * FROM Users WHERE Name = '{name}'";
await context.Database.ExecuteSqlRawAsync(sql);
// :white_check_mark: SECURE - Parameterized query
await context.Users.Where(u => u.Name == name).ToListAsync();
// Or if raw SQL needed:
await context.Database.ExecuteSqlRawAsync(
"SELECT * FROM Users WHERE Name = @p0", name);
```
### 4. Insecure Design
```csharp
// :x: VULNERABLE - No rate limiting
[HttpPost("login")]
public async Task<IActionResult> Login(LoginRequest request)
=> await authService.Login(request);
// :white_check_mark: SECURE - Rate limiting applied
[HttpPost("login")]
[RateLimit(MaxRequests = 5, WindowSeconds = 60)]
public async Task<IActionResult> Login(LoginRequest request)
=> await authService.Login(request);
```
### 5. Security Misconfiguration
```csharp
// :x: VULNERABLE - Detailed errors in production
app.UseDeveloperExceptionPage(); // Exposes stack traces
// :white_check_mark: SECURE - Generic errors in production
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
else
app.UseExceptionHandler("/Error");
```
### 6. Vulnerable Components
```bash
# Check for vulnerable packages
dotnet list package --vulnerable
# Update vulnerable packages
dotnet outdated
```
### 7. Authentication Failures
```csharp
// :x: VULNERABLE - Weak password policy
if (password.Length >= 4) { }
// :white_check_mark: SECURE - Strong password policy
public class PasswordPolicy
{
public bool Validate(string password)
{
return password.Length >= 12
&& password.Any(char.IsUpper)
&& password.Any(char.IsLower)
&& password.Any(char.IsDigit)
&& password.Any(c => !char.IsLetterOrDigit(c));
}
}
```
### 8. Data Integrity Failures
```csharp
// :x: VULNERABLE - No validation of external data
var userData = await externalApi.GetUserAsync(id);
await SaveToDatabase(userData);
// :white_check_mark: SECURE - Validate external data
var userData = await externalApi.GetUserAsync(id);
var validation = userData.Validate();
if (!validation.IsValid)
throw new ValidationException(validation.Errors);
await SaveToDatabase(userData);
```
### 9. Logging Failures
```csharp
// :x: VULNERABLE - Logging sensitive data
Logger.LogInformation("User login: {Email} {Password}", email, password);
// :white_check_mark: SECURE - Redact sensitive data
Logger.LogInformation("User login: {Email}", email);
// Never log passwords, tokens, or PII
```
### 10. SSRF (Server-Side Request Forgery)
```csharp
// :x: VULNERABLE - User-controlled URL
var url = request.WebhookUrl;
await httpClient.GetAsync(url); // Could access internal services
// :white_check_mark: SECURE - Validate and restrict URLs
if (!IsAllowedUrl(request.WebhookUrl))
throw new SecurityException("Invalid webhook URL");
private bool IsAllowedUrl(string url)
{
var uri = new Uri(url);
return AllowedDomains.Contains(uri.Host)
&& uri.Scheme == "https";
}
```
## Authorization Patterns
### Controller Level
```csharp
[ApiController]
[Route("api/[controller]")]
[PlatformAuthorize] // Require authentication
public class EmployeeController : PlatformBaseController
{
[HttpPost]
[PlatformAuthorize(Roles.Admin, Roles.Manager)] // Role-based
public async Task<IActionResult> Create(...)
}
```
### Handler Level
```csharp
protected override async Task<PlatformValidationResult<T>> ValidateRequestAsync(
PlatformValidationResult<T> validation, CancellationToken ct)
{
return await validation
// Check role
.And(_ => RequestContext.HasRole(Roles.Admin), "Admin role required")
// Check company access
.And(_ => entity.CompanyId == RequestContext.CurrentCompanyId(),
"Access denied: different company")
// Check ownership
.And(_ => entity.OwnerId == RequestContext.UserId() ||
RequestContext.HasRole(Roles.Admin),
"Access denied: not owner");
}
```
### Query Level
```csharp
// Always filter by company/user context
var employees = await repo.GetAllAsync(
e => e.CompanyId == RequestContext.CurrentCompanyId()
&& (e.IsPublic || e.OwnerId == RequestContext.UserId()));
```
## Data Protection
### Sensitive Data Handling
```csharp
public class SensitiveDataHandler
{
// Encrypt at rest
public string EncryptForStorage(string plainText)
=> encryptionService.Encrypt(plainText);
// Mask for display
public string MaskEmail(string email)
{
var parts = email.Split('@');
return $"{parts[0][0]}***@{parts[1]}";
}
// Never log sensitive data
public void LogUserAction(User user)
{
Logger.LogInformation("User action: {UserId}", user.Id);
// NOT: Logger.Log("User: {Email} {Phone}", user.Email, user.Phone);
}
}
```
### File Upload Security
```csharp
public async Task<IActionResult> Upload(IFormFile file)
{
// Validate file type
var allowedTypes = new[] { ".pdf", ".docx", ".xlsx" };
var extension = Path.GetExtension(file.FileName).ToLowerInvariant();
if (!allowedTypes.Contains(extension))
return BadRequest("Invalid file type");
// Validate file size
if (file.Length > 10 * 1024 * 1024) // 10MB
return BadRequest("File too large");
// Scan for malware (if available)
if (!await antivirusService.ScanAsync(file))
return BadRequest("File rejected by security scan");
// Generate safe filename
var safeFileName = $"{Guid.NewGuid()}{extension}";
// Save to isolated storage
await fileService.SaveAsync(file, safeFileName);
return Ok();
}
```
## Security Scanning Commands
```bash
# .NET vulnerability scan
dotnet list package --vulnerable
# Outdated packages
dotnet outdated
# Secret scanning
grep -r "password\|secret\|apikey" --include="*.cs" --include="*.json"
# Hardcoded credentials
grep -r "Password=\"" --include="*.cs"
grep -r "connectionString.*password" --include="*.json"
```
## Security Review Checklist
### Authentication
- [ ] Strong password policy enforced
- [ ] Account lockout after failed attempts
- [ ] Secure session management
- [ ] JWT tokens properly validated
- [ ] Refresh token rotation
### Authorization
- [ ] All endpoints require authentication
- [ ] Role-based access control implemented
- [ ] Resource-level permissions checked
- [ ] No privilege escalation possible
### Input Validation
- [ ] All inputs validated
- [ ] SQL injection prevented (parameterized queries)
- [ ] XSS prevented (output encoding)
- [ ] File uploads validated
- [ ] URL validation for redirects
### Data Protection
- [ ] Sensitive data encrypted at rest
- [ ] HTTPS enforced
- [ ] No sensitive data in logs
- [ ] Proper error handling (no stack traces)
### Dependencies
- [ ] No known vulnerable packages
- [ ] Dependencies regularly updated
- [ ] Third-party code reviewed
## Anti-Patterns to AVOID
:x: **Trusting client input**
```csharp
var isAdmin = request.IsAdmin; // User-supplied!
```
:x: **Exposing internal errors**
```csharp
catch (Exception ex) { return BadRequest(ex.ToString()); }
```
:x: **Hardcoded secrets**
```csharp
var apiKey = "sk_live_xxxxx";
```
:x: **Insufficient logging**
```csharp
// No audit trail for sensitive operations
await DeleteAllUsers();
```
## Verification Checklist
- [ ] OWASP Top 10 reviewed
- [ ] Authentication/authorization verified
- [ ] Input validation complete
- [ ] Sensitive data protected
- [ ] No hardcoded secrets
- [ ] Logging appropriate (no PII)
- [ ] Dependencies scannedRelated Skills
code-archaeologist
Deep historical context analysis for code evolution, risk assessment, and pattern compliance. Use BEFORE modifying any code to detect reverts, hotspots, god objects, and required patterns. Prevents repeating past mistakes by surfacing what was tried before and why it failed.
Build Your Cloud Security Skill
Create your cloud security skill in one prompt, then learn to improve it throughout the chapter
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
aws-security-audit
Comprehensive AWS security posture assessment using AWS CLI and security best practices
awesome-copilot-root-stackhawk-security-onboarding
Automatically set up StackHawk security testing for your repository with generated configuration and GitHub Actions workflow Use when: the task directly matches stackhawk security onboarding responsibilities within plugin awesome-copilot-root. Do not use when: a more specific framework or task-focused skill is clearly a better match.
astro-security
Security patterns for Astro lead generation websites on Cloudflare. Forms, headers, bot protection, GDPR. Use for any production lead gen site.
architecture-auditor
Architecture audit and analysis specialist for Modular Monoliths. **ALWAYS use when reviewing codebase architecture, evaluating bounded contexts, assessing shared kernel size, detecting "Core Obesity Syndrome", or comparing implementation against ADR-0001 and anti-patterns guide.** Use proactively when user asks about context isolation, cross-context coupling, or shared kernel growth. Examples - "audit contexts structure", "check shared kernel size", "find cross-context imports", "detect base classes", "review bounded context isolation", "check for Core Obesity".
architecting-security
Design comprehensive security architectures using defense-in-depth, zero trust principles, threat modeling (STRIDE, PASTA), and control frameworks (NIST CSF, CIS Controls, ISO 27001). Use when designing security for new systems, auditing existing architectures, or establishing security governance programs.
appwrite-security-operations
Production security operations for Appwrite services. Use when defining security quality gates, runtime hardening, API key lifecycle management, dependency vulnerability control, and incident response workflows.
application-security
Secure applications against common vulnerabilities. Use when reviewing code for security, implementing security controls, or hardening applications. Covers OWASP Top 10.
api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
annas-archive-ebooks
Use when needing to look up book content, find a book by title/author, download an ebook, or reference material from a published book. Triggers on book lookups, ebook downloads, "find the book", "get the PDF/EPUB of". Downloads produce PDF/EPUB/MOBI files - use ebook-extractor skill to convert to text.