Agent skill

commit-security-scan

Scan code changes for security vulnerabilities using Bug Hunter-native artifacts and STRIDE context. Use whenever the user asks for PR security review, commit-diff scanning, staged-change security checks, branch-comparison security review, or pre-merge security analysis of changed code.

View SKILL.md on GitHub Repository
Stars 114
Forks 6

Install this agent skill to your Project

npx add-skill https://github.com/codexstar69/bug-hunter/tree/main/skills/commit-security-scan

SKILL.md

Commit Security Scan

This is a bundled local Bug Hunter companion skill. It is portable and self-contained: use .bug-hunter/* artifacts, never .factory/* paths.

Purpose

Review changed code for security issues only. This skill is optimized for:

  • PR review
  • staged diff review
  • branch diff review
  • commit / commit-range security scanning

Inputs

Resolve the scan scope from the user request:

  • PR review → use scripts/pr-scope.cjs
  • staged review → use git diff --cached --name-only
  • branch diff → use git diff --name-only <base>...<head>
  • commit range → use git diff --name-only <base>..<head>

Workflow

  1. Ensure threat-model context exists.

    • Preferred artifacts:
      • .bug-hunter/threat-model.md
      • .bug-hunter/security-config.json
    • If missing, run the bundled threat-model-generation skill first.

  2. Resolve the changed-file scope.

  3. Read the full contents of the changed source files, not just the patch.

  4. Focus on STRIDE-oriented issues in changed code:

    • Spoofing: auth/session/token mistakes
    • Tampering: SQLi, XSS, path traversal, command injection, mass assignment
    • Repudiation: security-sensitive actions with no auditability
    • Information Disclosure: IDOR, secret exposure, verbose errors
    • DoS: unbounded input, missing limits, expensive regex/queries
    • Elevation of Privilege: missing authorization, role bypass, privilege escalation

  5. Reuse Bug Hunter-native security conventions:

    • findings should be compatible with .bug-hunter/findings.json
    • use STRIDE + CWE labels
    • include confidence scores

  6. If the user wants only a focused security diff review, stop after the findings report. If the user wants deeper validation, hand off to the bundled vulnerability-validation skill.

Output

Preferred outputs:

  • .bug-hunter/findings.json when integrating with the main Bug Hunter pipeline
  • .bug-hunter/report.md as a rendered companion if needed

Notes

  • This skill is intentionally diff-scoped; it does not replace full-repository audits.
  • Use it as the lightweight security fast-path before invoking the broader security-review flow.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

codexstar69/bug-hunter

referee

Final arbiter for Bug Hunter. Receives Hunter findings and Skeptic challenges, independently re-reads code, and delivers authoritative verdicts with CVSS scoring and proof-of-concept generation for security findings.

114 6
Explore
codexstar69/bug-hunter

fixer

Surgical code fixer for Bug Hunter. Implements minimal, precise fixes for verified bugs. Uses doc-lookup (Context Hub + Context7) to verify correct API usage in patches. Respects fix strategy classifications (safe-autofix vs manual-review vs larger-refactor).

114 6
Explore
codexstar69/bug-hunter

hunter

Deep behavioral code analysis agent for Bug Hunter. Performs multi-phase scanning to find logic errors, security vulnerabilities, race conditions, and runtime bugs. Uses doc-lookup (Context Hub + Context7) for framework verification. Reports structured JSON findings.

114 6
Explore
codexstar69/bug-hunter

skeptic

Adversarial code reviewer for Bug Hunter. Rigorously challenges each reported bug to determine if it's real or a false positive. Uses doc-lookup (Context Hub + Context7) to verify framework claims before disproval. The immune system that kills false positives.

114 6
Explore
codexstar69/bug-hunter

security-review

Run a focused STRIDE-based security review using Bug Hunter-native artifacts. Use whenever the user asks for a full security audit, repository security review, weekly security scan, PR security review with deeper validation, or wants dependency CVEs and threat-model context combined into one workflow.

114 6
Explore
codexstar69/bug-hunter

recon

Codebase reconnaissance agent for Bug Hunter. Maps architecture, identifies trust boundaries, classifies files by risk priority, and detects service boundaries. Does NOT find bugs — finds where bugs hide.

114 6
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results