code-security
Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'.
Best use case
code-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'.
Teams using code-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/code-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How code-security Compares
| Feature / Agent | code-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like 'check for SQL injection' or 'review security'. IMPORTANT: Always consult this skill when writing or reviewing any code that handles user input, authentication, file operations, database queries, network requests, cryptography, or infrastructure configuration (Terraform, Kubernetes, Docker, GitHub Actions) — even if the user doesn't explicitly mention security. Also use when users ask to 'review my code', 'check this for bugs', or 'is this safe'.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Code Security Guidelines Comprehensive security rules for writing secure code across 15+ languages. Covers OWASP Top 10, infrastructure security, and coding best practices with 28 rule categories. ## How to Use This Skill **Proactive mode** — When writing or reviewing code, automatically check for relevant vulnerabilities based on the language and patterns present. You don't need to wait for the user to ask about security. **Reactive mode** — When the user asks about security, use the categories below to find the relevant rule file, then read it for detailed vulnerable/secure code examples. ### Workflow 1. Identify the language and what the code does (handles input? queries a DB? reads files?) 2. Check the relevant rules below — focus on Critical and High impact first 3. Read the specific rule file from `rules/` for detailed code examples in that language 4. Apply the secure patterns, or flag the vulnerable patterns if reviewing ## Language-Specific Priority Rules When writing code in these languages, check these rules first: | Language | Priority Rules to Check | |----------|------------------------| | **Python** | SQL injection, command injection, path traversal, code injection, SSRF, insecure crypto | | **JavaScript/TypeScript** | XSS, prototype pollution, code injection, insecure transport, CSRF | | **Java** | SQL injection, XXE, insecure deserialization, insecure crypto, SSRF | | **Go** | SQL injection, command injection, path traversal, insecure transport | | **C/C++** | Memory safety, unsafe functions, command injection, path traversal | | **Ruby** | SQL injection, command injection, code injection, insecure deserialization | | **PHP** | SQL injection, XSS, command injection, code injection, path traversal | | **HCL/YAML** | Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions | ## Categories ### Critical Impact - **SQL Injection** (`rules/sql-injection.md`) - Use parameterized queries, never concatenate user input - **Command Injection** (`rules/command-injection.md`) - Avoid shell commands with user input, use safe APIs - **XSS** (`rules/xss.md`) - Escape output, use framework protections - **XXE** (`rules/xxe.md`) - Disable external entities in XML parsers - **Path Traversal** (`rules/path-traversal.md`) - Validate and sanitize file paths - **Insecure Deserialization** (`rules/insecure-deserialization.md`) - Never deserialize untrusted data - **Code Injection** (`rules/code-injection.md`) - Never eval() user input - **Hardcoded Secrets** (`rules/secrets.md`) - Use environment variables or secret managers - **Memory Safety** (`rules/memory-safety.md`) - Prevent buffer overflows, use-after-free (C/C++) ### High Impact - **Insecure Crypto** (`rules/insecure-crypto.md`) - Use SHA-256+, AES-256, avoid MD5/SHA1/DES - **Insecure Transport** (`rules/insecure-transport.md`) - Use HTTPS, verify certificates - **SSRF** (`rules/ssrf.md`) - Validate URLs, use allowlists - **JWT Issues** (`rules/authentication-jwt.md`) - Always verify signatures - **CSRF** (`rules/csrf.md`) - Use CSRF tokens on state-changing requests - **Prototype Pollution** (`rules/prototype-pollution.md`) - Validate object keys in JavaScript ### Infrastructure - **Terraform AWS/Azure/GCP** (`rules/terraform-aws.md`, `rules/terraform-azure.md`, `rules/terraform-gcp.md`) - Encryption, least privilege, no public access - **Kubernetes** (`rules/kubernetes.md`) - No privileged containers, run as non-root - **Docker** (`rules/docker.md`) - Don't run as root, pin image versions - **GitHub Actions** (`rules/github-actions.md`) - Avoid script injection, pin action versions ### Medium/Low Impact - **Regex DoS** (`rules/regex-dos.md`) - Avoid catastrophic backtracking - **Race Conditions** (`rules/race-condition.md`) - Use proper synchronization - **Correctness** (`rules/correctness.md`) - Avoid common logic bugs - **Best Practices** (`rules/best-practice.md`) - General secure coding patterns See `rules/_sections.md` for the full index with CWE/OWASP references. ## Quick Reference | Vulnerability | Key Prevention | |--------------|----------------| | SQL Injection | Parameterized queries | | XSS | Output encoding | | Command Injection | Avoid shell, use APIs | | Path Traversal | Validate paths | | SSRF | URL allowlists | | Secrets | Environment variables | | Crypto | SHA-256, AES-256 |
Related Skills
llm-security
Security guidelines for LLM applications based on OWASP Top 10 for LLM 2025. Use when building LLM apps, reviewing AI security, implementing RAG systems, or asking about LLM vulnerabilities like 'prompt injection' or 'check LLM security'. IMPORTANT: Always consult this skill when building chatbots, AI agents, RAG pipelines, tool-using LLMs, agentic systems, or any application that calls an LLM API (OpenAI, Anthropic, Gemini, etc.) — even if the user doesn't explicitly mention security. Also use when users import 'openai', 'anthropic', 'langchain', 'llamaindex', or similar LLM libraries.
meet-the-agents
Registry of available specialist agents and their task domains. Load when delegating a task, selecting an agent, or unsure which agent to use.
gh
Load when executing GitHub tasks via the gh CLI: creating or reviewing pull requests, managing issues, checking CI runs, creating releases, searching GitHub, or making raw GitHub API calls.
semgrep
Run Semgrep static analysis scans and create custom detection rules. Use when asked to scan code with Semgrep, find security vulnerabilities, write custom YAML rules, or detect specific bug patterns. IMPORTANT: Also use this skill when users ask to 'scan for bugs', 'check code quality', 'find vulnerabilities', 'static analysis', 'lint for security', 'audit this code', or want to enforce coding standards — even if they don't mention Semgrep by name. Semgrep is the right tool for pattern-based code scanning across 30+ languages.
writing-clearly-and-concisely
Core writing rules for clear, concise prose. Load when writing any text a human will read.
prose-style-reference
Extended writing reference for documentation and content creation. Load for blog posts, READMEs, technical guides, and long-form writing.
perl-security
全面的Perl安全指南,涵盖污染模式、输入验证、安全进程执行、DBI参数化查询、Web安全(XSS/SQLi/CSRF)以及perlcritic安全策略。
laravel-security
Laravel security best practices for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment.
springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
security-scan
AgentShield を使用して、Claude Code の設定(.claude/ ディレクトリ)のセキュリティ脆弱性、設定ミス、インジェクションリスクをスキャンします。CLAUDE.md、settings.json、MCP サーバー、フック、エージェント定義をチェックします。
django-security
Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.
security-review
Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.