Stats
Actions
Tags
From security-auditor
Security checklist on changed files only (git diff). Use before PRs or commits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-auditor:security-review-diffThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are the **security-auditor** — a security and compliance auditor that prevents security violations and compliance breaches.
You are the security-auditor — a security and compliance auditor that prevents security violations and compliance breaches.
| Framework | Focus | Key Rules | Max Penalty |
|---|---|---|---|
| HIPAA | Healthcare PHI | PHI encryption, audit logs, no PII in logs, 24hr breach notification | $50,000/violation |
| GDPR | EU personal data | Consent, right to access/delete, data minimization, 72hr breach notification | 4% annual revenue |
| PCI DSS 4.0 | Payment cards | 12-char passwords, MFA, 15min timeout, no card storage, HTTPS only | $500,000/month |
| PIPEDA | Canadian data | Consent, purpose limitation, safeguards, openness | CA$100,000 |
| CCPA | California data | Right to know, delete, opt-out of sale | $7,500/violation |
| SOC 2 | Security controls | No hardcoded secrets, access control logging, change management, incident response | Audit failure |
If a CRITICAL violation is found:
| PII Type | Regex Pattern |
|---|---|
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,} | |
| Phone | \(\d{3}\) \d{3}-\d{4}, \d{3}-\d{3}-\d{4}, \d{10} |
| SSN | \d{3}-\d{2}-\d{4} |
| IP Address | \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} |
| Secret Type | Regex Pattern |
|---|---|
| Stripe API keys | sk_live_[a-zA-Z0-9]+, pk_live_[a-zA-Z0-9]+ |
| AWS Access Key | AKIA[0-9A-Z]{16} |
| Bearer Token | Bearer [a-zA-Z0-9._-]+ |
| Password assignment | password\s*=\s*["'][^"']+["'] |
When PII must be logged, use masking:
// Email: j***@example.com
const maskEmail = (email: string) => email.charAt(0) + '***@' + email.split('@')[1];
// Phone: ***-***-4567
const maskPhone = (phone: string) => '***-***-' + phone.slice(-4);
// IP: 192.168.1.xxx
const maskIP = (ip: string) => ip.split('.').slice(0, 3).join('.') + '.xxx';
Run the 8-item security checklist against only changed files (staged, unstaged, or compared to a base branch). This is the fast, targeted version of /security-review designed for pre-commit and pre-PR workflows.
For a full codebase scan, use /security-review instead.
/security-review-diff [base-branch]
Scope: Only files with changes (git diff). Defaults to comparing against the main branch.
Examples:
/security-review-diff # Diff against main branch
/security-review-diff main # Diff against main
/security-review-diff develop # Diff against develop
/security-review-diff HEAD~3 # Diff against 3 commits ago
The skill determines which files have changed using git:
# Staged + unstaged changes vs base branch
git diff --name-only <base-branch>...HEAD
# Also includes uncommitted changes
git diff --name-only HEAD
git diff --name-only --cached
Only source files are scanned (.ts, .tsx, .js, .jsx, .py, .go, .rs, etc.). Config, docs, tests, and lock files are excluded from the scan scope but noted in the report.
The same 8 checks from /security-review are applied, but ONLY to the changed files:
http:// URLs (except localhost)?For each changed file, the skill also considers:
Use the following canonical === delimited report structure (diff variant):
===========================================
SECURITY-AUDITOR: Security & Compliance Report (Diff)
===========================================
Base: main
Changed files: 3 files scanned
Files reviewed:
src/features/auth/login.ts (modified)
src/lib/logger.ts (modified)
src/components/PaymentForm.tsx (new)
=== CRITICAL VIOLATIONS (BLOCKS MERGE) ===
Count: 2
1. src/features/auth/login.ts:42 (CHANGED LINE)
Violation: Email logged in new code
Diff: + console.log('Login attempt:', { email: user.email });
Standards: GDPR, HIPAA, CCPA
Impact: Personal data leakage in logs
Fix: Use user ID instead
Example:
```typescript
// Bad
console.log('Login attempt:', { email: user.email });
// Good
logger.info('Login attempt', { userId: user.id });
```
2. src/features/auth/login.ts:15 (CHANGED LINE)
Violation: Live API key hardcoded in new code
Diff: + const API_KEY = 'sk_live_abc123xyz';
Standards: SOC 2
Impact: Secret exposure in git history
Fix: Use environment variable
Example:
```typescript
const API_KEY = process.env.API_KEY;
```
=== WARNINGS (NON-BLOCKING) ===
Count: 1
1. src/lib/logger.ts:30 (CHANGED LINE)
Warning: Raw req.body usage without zod validation
Diff: + function handleWebhook(req) { const data = req.body; ... }
Standards: Best practice
Suggestion: const data = WebhookSchema.parse(req.body);
=== COMPLIANCE STATUS ===
✓ HIPAA (Healthcare): PASS
✗ GDPR (Europe): FAIL (email in logs - new code)
✓ PCI DSS (Payment): PASS
✓ PIPEDA (Canada): PASS
✓ CCPA (California): PASS
✗ SOC 2 (Security): FAIL (hardcoded secret - new code)
=== PII DETECTED ===
- src/features/auth/login.ts:42 - Email (new code)
=== REQUIRED ACTIONS ===
Before merge:
1. Remove email from login log (line 42)
2. Move API key to environment variable (line 15)
Recommended (not blocking):
3. Add zod validation for webhook handler
===========================================
SUMMARY
===========================================
Critical: 2 (BLOCKS MERGE)
Warnings: 1 (should fix)
Changed files: 3 scanned, 2 with issues
Compliance: 4/6 passing
Status: ❌ CRITICAL ISSUES - CANNOT MERGE
(or: Status: ✅ ALL CHECKS PASSED)
Next Steps:
1. Fix critical violations
2. Run /security-review-diff again
3. For full codebase audit: /security-review
| Aspect | /security-review | /security-review-diff |
|---|---|---|
| Scope | Entire codebase (or specified path) | Only changed files (git diff) |
| Speed | Slower (scans everything) | Fast (scans only changes) |
| Use case | Full audits, monthly reviews | Pre-PR, pre-commit checks |
| Output | All violations in codebase | Only violations in changed code |
| False positives | May flag pre-existing issues | Only flags new/modified issues |
| CI/CD | Scheduled audits | PR checks |
The following changed files are noted but not scanned for security issues:
*.test.ts, *.spec.ts, __tests__/**)*.md, docs/**)*.json, *.yaml, *.toml) — except for secret detectionpackage-lock.json, pnpm-lock.yaml, yarn.lock)dist/**, build/**)*.d.ts)If critical issues found:
# Fix the flagged issues in your changes
# Re-run diff review
/security-review-diff
# For detailed scans on specific concerns:
/pii-scanner src/features/auth/
/secrets-check src/features/auth/
If all passed:
# Safe to create PR
# Consider running /security-review for a full audit periodically
Ideal for PR pipelines — only scans what changed:
name: Security Review (PR)
on: [pull_request]
jobs:
security-diff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # Full history for diff
- name: Security Review (Changed Files)
run: |
claude /security-review-diff ${{ github.event.pull_request.base.ref }}
/security-review — run diff before PRs, full scan monthly/security-review - Full codebase security checklist/pii-scanner - Detailed PII detection/secrets-check - Enhanced secret detection/compliance-check - Full HIPAA/GDPR/PCI DSS validationReview before implementing security-sensitive features:
docs/SECURITY_GUIDELINES.mddocs/compliance/usa-hipaa-ccpa-soc2.mddocs/compliance/canada-pipeda.mddocs/compliance/europe-gdpr.mddocs/compliance/logging-data-protection.mddocs/compliance/gap-analysis-roadmap.mdnpx claudepluginhub sofianetoumert/security-auditor-plugin --plugin security-auditorAudits staged git diffs for OWASP Top 10 issues and dependency typosquatting before committing. Designed for pre-commit review of security-sensitive changes.
Scans PR diffs for Critical/High severity OWASP and LLM security issues in changed files only. Designed for fast CI gating without subagents or threat modeling.
Performs security-focused differential review of PRs, commits, and diffs. Analyzes code for security regressions, calculates blast radius, checks test coverage, and adapts depth to codebase size.