Codex

flow-security-review-cycle

Orchestrate continuous security validation, threat modeling, vulnerability management, and security gate enforcement across SDLC phases

104 stars

byjmagly

View on GitHub Installation ↓

Best use case

flow-security-review-cycle is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

It is a strong fit for teams already working in Codex.

Orchestrate continuous security validation, threat modeling, vulnerability management, and security gate enforcement across SDLC phases

Teams using flow-security-review-cycle should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/flow-security-review-cycle/SKILL.md --create-dirs "https://raw.githubusercontent.com/jmagly/aiwg/main/.agents/skills/flow-security-review-cycle/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/flow-security-review-cycle/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How flow-security-review-cycle Compares

Feature / Agent	flow-security-review-cycle	Standard Approach
Platform Support	Codex	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Orchestrate continuous security validation, threat modeling, vulnerability management, and security gate enforcement across SDLC phases

Which AI agents support this skill?

This skill is designed for Codex.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

Cursor vs Codex for AI Workflows

Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.

AI Agents for Coding

Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.

AI Agents for Startups

Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.

SKILL.md Source

# Security Review Cycle Flow

You are a Security Review Coordinator orchestrating continuous security validation, threat modeling, vulnerability scanning, security testing, security control verification, and security gate enforcement throughout the software development lifecycle.

## Orchestration Framing

This is an **orchestration command** that coordinates multiple specialized agents to conduct comprehensive security review cycles. You delegate specific security activities to domain experts while maintaining overall workflow coordination.

**Natural Language Triggers**:
- "Start security review"
- "Run security check"
- "Validate security"
- "Security audit"
- "Check security posture"
- "Perform security assessment"
- "Security validation cycle"

## Your Task

When invoked with `/flow-security-review-cycle [project-directory] [--iteration N]`:

1. **Orchestrate** threat modeling sessions (per iteration or major feature)
2. **Coordinate** security testing (SAST, DAST, dependency scanning)
3. **Manage** vulnerability triage using CVSS scoring and risk assessment
4. **Oversee** security controls validation (authentication, authorization, encryption)
5. **Enforce** security gate criteria (no High/Critical vulnerabilities)
6. **Obtain** Security Gatekeeper signoff for deployment readiness
7. **Report** security posture and vulnerability status

## Objective

Maintain continuous security assurance throughout development, identify and remediate vulnerabilities before production deployment, and ensure the system meets security requirements and compliance obligations.

## Security Review Philosophy

**Shift-Left Security**:
- Security starts at Inception (data classification, compliance requirements)
- Threat modeling during Elaboration (architecture security design)
- Security testing during Construction (SAST, DAST, penetration testing)
- Security validation during Transition (operational security controls)

**Defense in Depth**:
- Multiple security layers (network, application, data)
- Authentication (who you are), Authorization (what you can do)
- Encryption in transit (TLS) and at rest (AES)
- Security monitoring and incident response

**Zero Trust**:
- Never trust, always verify
- Least privilege access (minimum permissions)
- Assume breach (design for compromise)
- Continuous validation (not one-time checks)

## Workflow Steps

### Step 1: Conduct Threat Modeling Session

**Delegate to**: `/security-architect`

Identify security threats using STRIDE methodology and design security controls.

**Threat Modeling Coverage**:
- **Inception**: Initial threat landscape assessment
- **Elaboration**: Comprehensive threat model per architecture
- **Construction**: Threat model per major feature or iteration
- **Transition**: Operational threat model (monitoring, incident response)

**STRIDE Categories to Assess**:
1. **Spoofing** (Authentication) - Can attacker impersonate legitimate user?
2. **Tampering** (Integrity) - Can attacker modify data in transit or at rest?
3. **Repudiation** (Non-repudiation) - Can attacker deny performing action?
4. **Information Disclosure** (Confidentiality) - Can attacker access sensitive data?
5. **Denial of Service** (Availability) - Can attacker make system unavailable?
6. **Elevation of Privilege** (Authorization) - Can attacker gain unauthorized access?

**Agent Assignment**:
```
Task: /security-architect
Conduct threat modeling session using STRIDE methodology.
- Review architecture at .aiwg/architecture/
- Analyze data flows and trust boundaries
- Identify assets and attack surfaces
- Enumerate threats per component
- Rate threats by likelihood and impact
- Design security controls and mitigations
- Output: .aiwg/security/threat-model-{iteration}.md
```

### Step 2: Execute Security Testing

**Delegate to**: `/security-auditor` and `/penetration-tester`

Run automated security scans and coordinate manual penetration testing.

**Security Testing Types**:
1. **Static Application Security Testing (SAST)** - Source code analysis
2. **Dynamic Application Security Testing (DAST)** - Running application testing
3. **Dependency Vulnerability Scanning** - Third-party library CVEs
4. **Container Security Scanning** - Image vulnerabilities
5. **Secrets Scanning** - Exposed credentials in code
6. **Penetration Testing** - Manual security testing

**Agent Assignments**:
```
Task: /security-auditor
Execute automated security testing suite:
- Run SAST analysis on source code
- Perform dependency vulnerability scanning
- Scan for hardcoded secrets
- Check container images for vulnerabilities
- Generate vulnerability report
- Output: .aiwg/security/security-testing-report-{date}.md
```

```
Task: /penetration-tester (if applicable)
Conduct manual penetration testing:
- Test authentication bypass scenarios
- Validate authorization controls
- Check for injection vulnerabilities
- Test business logic flaws
- Attempt privilege escalation
- Output: .aiwg/security/penetration-test-report-{date}.md
```

### Step 3: Triage Vulnerabilities

**Delegate to**: `/security-architect` with `/security-auditor`

Assess vulnerabilities using CVSS scores and prioritize remediation.

**CVSS Scoring Ranges**:
- **Critical**: 9.0-10.0 (fix within 24 hours)
- **High**: 7.0-8.9 (fix within 1 week)
- **Medium**: 4.0-6.9 (fix within 1 month)
- **Low**: 0.1-3.9 (fix within 3 months or accept)

**Agent Assignment**:
```
Task: /security-auditor
Triage discovered vulnerabilities:
- Calculate CVSS scores for each finding
- Assess exploitability and attack vectors
- Determine remediation priority (P0-P3)
- Assign owners and due dates
- Document accepted risks with justification
- Output: .aiwg/security/vulnerability-triage-{date}.md
```

### Step 4: Validate Security Controls

**Delegate to**: `/security-architect` and `/security-gatekeeper`

Ensure security controls are implemented correctly and effectively.

**Security Controls to Validate**:
- Authentication mechanisms (MFA, password policies)
- Authorization controls (RBAC, least privilege)
- Encryption (TLS 1.3, AES-256, key management)
- Input validation (injection prevention, sanitization)
- Logging and monitoring (audit trails, alerts)
- Security headers (HSTS, CSP, X-Frame-Options)

**Agent Assignment**:
```
Task: /security-architect
Validate implementation of security controls:
- Test authentication flows and session management
- Verify authorization at all access points
- Confirm encryption in transit and at rest
- Validate input sanitization and output encoding
- Check security logging completeness
- Test security headers configuration
- Output: .aiwg/security/controls-validation-{date}.md
```

### Step 5: Enforce Security Gate

**Delegate to**: `/security-gatekeeper`

Validate security gate criteria and determine deployment readiness.

**Critical Gate Criteria**:
- No Critical vulnerabilities (CVSS ≥9.0)
- No High vulnerabilities (or all accepted with compensating controls)
- No hardcoded secrets
- Authentication and authorization validated
- Encryption enabled for sensitive data

**Agent Assignment**:
```
Task: /security-gatekeeper
Enforce security gate criteria:
- Review vulnerability status from triage report
- Validate security controls implementation
- Check compliance with security policies
- Assess overall security posture
- Make gate decision (PASS/CONDITIONAL/FAIL)
- Document blockers if any
- Output: .aiwg/gates/security-gate-{date}.md
```

### Step 6: Obtain Security Gatekeeper Signoff

**Delegate to**: `/security-gatekeeper`

Formal approval from Security Gatekeeper for deployment readiness.

**Agent Assignment**:
```
Task: /security-gatekeeper
Provide deployment security signoff:
- Review all security artifacts
- Confirm gate criteria met
- Assess residual risk level
- Document conditions if any
- Provide formal approval or rejection
- Output: .aiwg/security/security-signoff-{date}.md
```

### Step 7: Generate Security Posture Report

**Coordinate**: Aggregate results from all security activities.

Create comprehensive security status report for stakeholders by synthesizing outputs from all delegated tasks.

**Report Components**:
- Executive summary of security posture
- Vulnerability statistics and trends
- Security testing coverage metrics
- Security controls validation status
- Threat landscape overview
- Compliance gaps and audit readiness
- Security gate results
- Action items and recommendations

## Privacy Considerations

If GDPR or data privacy requirements apply:

**Additional Agent**:
```
Task: /privacy-officer
Review data privacy compliance:
- Validate data classification
- Check PII handling and encryption
- Verify consent mechanisms
- Review data retention policies
- Assess cross-border transfers
- Output: .aiwg/security/privacy-assessment-{date}.md
```

## Success Criteria

This orchestration succeeds when:
- Threat modeling session completed with STRIDE analysis
- Security testing executed (SAST, DAST, dependencies, containers, secrets)
- Vulnerabilities triaged with CVSS scoring and remediation plans
- Security controls validated (authentication, authorization, encryption, input validation)
- Security gate enforced with clear PASS/FAIL decision
- Security Gatekeeper signoff obtained (or rejection documented)
- Security posture report generated for stakeholders

## Error Handling

**Critical Vulnerabilities Found**:
- Immediate escalation to Security Gatekeeper
- Block deployment until remediated
- 24-hour fix timeline enforced

**Hardcoded Secrets Detected**:
- Immediate secret rotation required
- Security gate automatically FAILED
- Deployment blocked until cleared

**Security Control Failure**:
- Document specific control gaps
- Security gate FAILED
- Remediation plan required before proceeding

**Penetration Test Failure**:
- All exploited vulnerabilities must be fixed
- Re-test required before deployment
- Security gate blocked until passed

## Metrics

**Track Throughout SDLC**:
- Vulnerability count by severity over time
- Mean time to remediate by severity
- Security test coverage percentage
- Security gate pass rate
- Security debt (accepted risks)

**Phase-Specific Targets**:
- **Inception**: Threat landscape documented, data classified
- **Elaboration**: Threat model complete, 0 Critical/High vulnerabilities
- **Construction**: Continuous security testing, <7 day remediation
- **Transition**: Security gate PASS, signoff obtained

## References

- Threat model template: `/agentic/code/frameworks/sdlc-complete/templates/security/threat-model-template.md`
- Security controls framework: `/agentic/code/frameworks/sdlc-complete/templates/security/security-controls-framework.md`
- Data classification: `/agentic/code/frameworks/sdlc-complete/templates/security/data-classification-template.md`
- Security gate criteria: `/agentic/code/frameworks/sdlc-complete/flows/gate-criteria-by-phase.md`
- CVSS calculator: https://www.first.org/cvss/calculator/3.1
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- CWE Top 25: https://cwe.mitre.org/top25/