How does this skill reduce false positive security alerts?

It uses a strict research-first methodology that verifies if an input is truly attacker-controlled (like a request parameter) versus server-controlled (like an environment variable) before flagging an issue.

Which frameworks and languages are supported?

The skill includes specialized security guides for Python (Django/Flask), JavaScript (React/Node), Go, Rust, and Java (Spring), as well as cloud infrastructure tools like Docker and Kubernetes.

Does it provide remediation advice?

Every high-confidence finding includes a specific description of the risk, evidence from the code, and a recommended fix to resolve the vulnerability.

Can it detect hardcoded secrets and API keys?

Yes, it is designed to identify hardcoded passwords, API keys, AWS secrets, and private keys during the review process.

Security Review

Name: Security Review
Author: getsentry

bygetsentry

•

261

•

Security & Testing

Conducts systematic, confidence-based security audits to identify and remediate exploitable vulnerabilities in code and infrastructure.

The Security Review skill provides a professional-grade security auditing framework for Claude Code, designed to identify high-confidence vulnerabilities while minimizing false positives. It utilizes a research-first approach, tracing data flows from attacker-controlled inputs to sensitive sinks across various languages including Python, JavaScript, Go, and Rust. By leveraging OWASP-aligned patterns and infrastructure-specific guides for Docker, Kubernetes, and Terraform, this skill helps developers catch critical issues like injection, XSS, and broken authentication before they reach production.

Key Features

01Confidence-based reporting to prioritize exploitable vulnerabilities over theoretical risks

02Language-specific security guides for Django, React, Express, Spring, and more

03Automated detection of hardcoded secrets, weak cryptography, and unsafe deserialization

04Deep data-flow analysis to distinguish between attacker-controlled and server-controlled inputs

05Infrastructure-as-Code (IaC) auditing for Docker, K8s, Terraform, and CI/CD pipelines

06261 GitHub stars

Use Cases

01Performing a comprehensive security audit of a new feature or pull request before merging

02Scanning legacy codebases for OWASP Top 10 vulnerabilities like SQL injection and XSS

03Reviewing cloud infrastructure manifests and deployment scripts for security misconfigurations

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add getsentry/skills security-review

For use in Claude.ai and ChatGPT

Download Skill