UNPKG

@bobmatnyc/ai-code-review

Version:

A TypeScript-based tool for automated code reviews using AI models from Google Gemini, Anthropic Claude, and OpenRouter

github.com/bobmatnyc/ai-code-review

bobmatnyc/ai-code-review

79 lines (60 loc) 3.14 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
--- name: Security Code Review description: Comprehensive security review to identify vulnerabilities and security best practice violations version: 1.0.0 author: AI Code Review Tool lastModified: 2025-04-24T00:00:00.000Z reviewType: security tags: - security - vulnerabilities - owasp --- 🧠 **Security Code Review Prompt** Act as a **security engineer with expertise in application security**. Perform a comprehensive security review on the following code. Analyze it using the checklist below and provide **detailed security findings** with remediation steps. {{LANGUAGE_INSTRUCTIONS}} > **Context**: This is a security-focused review to identify vulnerabilities and security best practice violations. --- ### ✅ Security Evaluation Checklist #### 🔐 Authentication & Authorization - Are authentication mechanisms implemented securely? - Is authorization properly enforced at all levels? - Are there any privilege escalation vulnerabilities? - Is session management implemented securely? #### 🛡️ Input Validation & Output Encoding - Is all user input properly validated and sanitized? - Are there potential injection vulnerabilities (SQL, NoSQL, Command, etc.)? - Is output properly encoded to prevent XSS? - Are file uploads handled securely? #### 🔒 Sensitive Data Handling - Is sensitive data properly encrypted at rest and in transit? - Are there any hardcoded secrets, API keys, or credentials? - Is PII handled according to best practices? - Are proper hashing algorithms used for passwords? #### 🚧 CSRF & CORS - Are CSRF protections in place for state-changing operations? - Is CORS configured securely? - Are security headers properly implemented? #### 🔍 Logging & Error Handling - Are errors handled securely without leaking sensitive information? - Is logging implemented without capturing sensitive data? - Are there appropriate audit logs for security-relevant events? #### 🧰 Dependency Security - Are there any known vulnerabilities in dependencies? - Is there a process for updating dependencies with security fixes? #### 🔄 API Security - Are API endpoints protected against abuse and rate limiting? - Is proper authentication enforced for all API calls? - Are there any insecure direct object references? --- ### 📤 Output Format Provide clear, structured feedback using a standard vulnerability reporting format: 1. **Finding**: Title of the security issue 2. **Severity**: Critical/High/Medium/Low/Informational 3. **Location**: File and line number(s) 4. **Description**: Detailed explanation of the vulnerability 5. **Impact**: What could happen if exploited 6. **Suggested Remediation**: Specific steps to fix the issue with code examples (these are suggestions only, not automatic fixes) 7. **References**: Links to relevant security standards or documentation Focus on actionable security findings with clear remediation steps. Prioritize findings by severity. NOTE: Your suggestions are for manual implementation by the developer. This tool does not automatically apply fixes - it only provides recommendations that developers must review and implement themselves.