Security PR Checklist Skill
Standardized security review for pull requests.
PR Security Checklist
Security Review Checklist
Authentication & Authorization
- [ ] No hardcoded credentials
- [ ] Authorization checks on all endpoints
- [ ] Session management secure
- [ ] Rate limiting on auth endpoints
Input Validation
- [ ] All inputs validated
- [ ] Output properly encoded
- [ ] No SQL injection risks
- [ ] No XSS vulnerabilities
Data Protection
- [ ] Sensitive data encrypted at rest
- [ ] HTTPS enforced
- [ ] No PII in logs
- [ ] Secure cookie configuration
Dependencies
- [ ] No new high/critical vulnerabilities
- [ ] Dependencies up to date
- [ ] No suspicious packages
Secrets Management
- [ ] No secrets in code
- [ ] Environment variables used
- [ ] .env files in .gitignore
Error Handling
- [ ] No sensitive info in errors
- [ ] Generic error messages
- [ ] Proper logging
Output Checklist PR template created Required security checks Common pitfalls documented Automated checks in CI Review guidelines ENDFILE