security-review

security-review routes your changed code to a security-specialist agent that applies an OWASP-aligned checklist. It looks for authentication and authorisation gaps, injection vectors, insecure data handling, secrets in code, and trust boundary violations — the issues that are easy to miss in a general code review.

Purpose

Security concerns require a different lens than correctness concerns. security-review uses an agent trained on vulnerability patterns: it does not just check whether the code works, it checks whether it can be abused. Use it before merging any change that touches auth flows, external input handling, permissions, or sensitive data.

How to invoke

Natural language triggers: "security review", "security check", "check for vulnerabilities", "OWASP review".

Explicit slash: $security-review

codex
> security review the new OAuth flow I just implemented

codex
> security-review src/api/upload.ts — it handles user file uploads

What it does

• Identifies changed files and their security-relevant surface area
• Applies an OWASP Top 10 checklist adapted to the language and framework in use
• Checks authentication: token validation, session management, and credential handling
• Checks authorisation: permission checks, privilege escalation paths, and IDOR risks
• Flags injection vectors, insecure deserialization, and secrets committed to source
• Reports findings with severity (critical, high, medium, low) and remediation guidance

Outputs

• Security review report with findings grouped by severity and OWASP category
• Specific file and line references for each finding
• Remediation guidance for critical and high severity issues

Related

• $review — composite router that includes security-review as one of its passes
• $code-review — correctness and API contract review to run alongside security
• $analyze — root-cause investigation if a security finding points to a deeper bug