Security-Focused Code Review

---
description: Perform a security-focused code review checking for common vulnerabilities
allowed-tools: Read, Bash(ls), Bash(cat *), Glob, Grep
---

# Security Code Review

Perform a thorough security audit of the specified code, focusing on vulnerabilities from the OWASP Top 10 and common exploit patterns.

## Arguments

- `$ARGUMENTS` — file path, directory, or description of the area to review

## Steps

1. Read the target files specified in `$ARGUMENTS`.
2. If a directory is specified, identify security-critical files first:
   - Authentication and authorization handlers
   - Input parsing and validation
   - Database query construction
   - File upload/download handlers
   - API route handlers
   - Configuration files with secrets
3. Analyze each file against the following checklist.

## Security checklist

### Injection (SQL, NoSQL, Command, LDAP)
- Are user inputs used directly in queries without parameterization?
- Are shell commands constructed with string concatenation?
- Are LDAP or XPath queries built from untrusted input?

### Broken Authentication
- Are passwords hashed with a strong algorithm (bcrypt, argon2)?
- Are session tokens sufficiently random and rotated on login?
- Is there rate limiting on authentication endpoints?
- Are JWTs validated properly (algorithm, expiry, issuer)?

### Sensitive Data Exposure
- Are secrets hardcoded in source files?
- Is sensitive data logged or included in error messages?
- Is PII encrypted at rest and in transit?
- Are API keys or tokens committed to version control?

### Cross-Site Scripting (XSS)
- Is user input rendered without escaping in HTML templates?
- Are `dangerouslySetInnerHTML` or equivalent used with untrusted data?
- Are Content-Security-Policy headers configured?

### Insecure Deserialization
- Is `JSON.parse` used on untrusted input without schema validation?
- Are objects deserialized from cookies or URL parameters?

### Access Control
- Are authorization checks present on every protected endpoint?
- Can users access other users' resources by changing IDs in URLs?
- Are admin endpoints properly gated?

## Output format

```markdown
## Security Review: <scope>

### Critical Vulnerabilities
🔴 **[CRITICAL]** file.ts:23 — SQL injection via string interpolation
   `const query = \`SELECT * FROM users WHERE id = ${userId}\``
   **Fix:** Use parameterized query: `db.query('SELECT * FROM users WHERE id = $1', [userId])`

### Warnings
🟡 **[WARNING]** auth.ts:45 — JWT secret loaded from environment without fallback validation
   **Fix:** Add startup check that fails fast if JWT_SECRET is not set

### Informational
🔵 **[INFO]** config.ts:12 — Consider adding rate limiting to /api/login

### Summary
- Critical: X | Warnings: Y | Info: Z
- Overall risk assessment: LOW / MEDIUM / HIGH / CRITICAL
```

## Rules

- Always provide a concrete fix for each finding, not just a description.
- Prioritize findings by exploitability and impact.
- Do not flag issues that are mitigated by the framework (e.g. React auto-escapes JSX).
- Check `.env.example` to understand expected environment variables.
- If no vulnerabilities are found, explicitly state that and note what was checked.