Can it audit cloud and container configurations?

Yes, the skill includes infrastructure guides for Docker, Kubernetes manifests, Terraform scripts, and CI/CD pipeline security.

What is the difference between High and Low confidence findings?

High confidence findings are confirmed vulnerable patterns with clear attacker-controlled input. Low confidence findings are theoretical or involve defense-in-depth and are generally not reported to minimize noise.

How does this skill reduce false positive security alerts?

The skill follows a 'Research Before Flagging' workflow, tracing data flows to ensure a potential vulnerability is actually linked to attacker-controlled input rather than safe, server-side constants.

Which programming languages and frameworks are supported?

It includes specialized security patterns for Python (Django, Flask, FastAPI), JavaScript (Node, React, Vue), Go, Rust, and Java (Spring).

Security Code Review

Name: Security Code Review
Author: getsentry

bygetsentry

•

118

•

安全与测试

Performs systematic security audits to identify exploitable vulnerabilities like XSS, SQL injection, and authentication flaws with high-confidence reporting.

The Security Review skill transforms Claude into a sophisticated security auditor capable of performing deep-dive analysis on source code and infrastructure configurations. Based on OWASP standards, it goes beyond simple pattern matching by tracing data flows to distinguish between server-controlled constants and dangerous attacker-controlled inputs. This skill is designed to provide actionable, severity-ranked findings for web applications, APIs, and cloud infrastructure, ensuring that developers can identify and fix critical vulnerabilities like injection, broken access control, and hardcoded secrets before they reach production.

主要功能

01Deep data-flow analysis to trace attacker-controlled inputs across the entire codebase.

02Confidence-based reporting system that prioritizes exploitable risks over theoretical noise.

03Specialized security guides for Python, JavaScript/TypeScript, Go, Rust, and Java.

04118 GitHub stars

05Comprehensive coverage of OWASP Top 10 vulnerabilities including XSS, CSRF, and SQL injection.

06Infrastructure-as-Code (IaC) auditing for Docker, Kubernetes, Terraform, and CI/CD pipelines.

使用场景

01Verifying framework-specific security mitigations like Django auto-escaping or React's innerHTML protections.

02Performing automated security audits of pull requests and new feature implementations.

03Scanning configuration files and environment variables for hardcoded secrets and sensitive data.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add getsentry/dotagents security-review

For use in Claude.ai and ChatGPT

Download Skill