{"id":50932422,"url":"https://github.com/joshuaporth/appsec-skill","last_synced_at":"2026-06-17T05:31:34.669Z","repository":{"id":356428241,"uuid":"1232484570","full_name":"joshuaporth/appsec-skill","owner":"joshuaporth","description":"Portable secure code review skill for AI coding agents — OWASP/CWE coverage, structured findings, and remediation guidance. Works with Cursor, Claude Code, Kiro, and Open Agent Skills.","archived":false,"fork":false,"pushed_at":"2026-05-27T11:13:44.000Z","size":384,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-27T13:05:06.330Z","etag":null,"topics":["agent-skills","ai-agents","application-security","appsec","claude-code","code-review","cursor","kiro","owasp","secure-coding"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joshuaporth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-08T01:26:02.000Z","updated_at":"2026-05-27T11:13:49.000Z","dependencies_parsed_at":"2026-05-27T13:02:48.356Z","dependency_job_id":null,"html_url":"https://github.com/joshuaporth/appsec-skill","commit_stats":null,"previous_names":["joshuaporth/appsec-skill"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/joshuaporth/appsec-skill","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuaporth%2Fappsec-skill","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuaporth%2Fappsec-skill/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuaporth%2Fappsec-skill/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuaporth%2Fappsec-skill/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joshuaporth","download_url":"https://codeload.github.com/joshuaporth/appsec-skill/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuaporth%2Fappsec-skill/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34435978,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-17T02:00:05.408Z","response_time":127,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-skills","ai-agents","application-security","appsec","claude-code","code-review","cursor","kiro","owasp","secure-coding"],"created_at":"2026-06-17T05:31:33.419Z","updated_at":"2026-06-17T05:31:34.647Z","avatar_url":"https://github.com/joshuaporth.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\" id=\"readme-top\"\u003e\n\n# AppSec Skill\n\n**🔐 Portable secure-code review for coding agents.**\n\n[![Open Agent Skills](https://img.shields.io/badge/Open_Agent_Skills-specification-6366f1?style=flat-square)](https://openagentskills.dev/docs/specification)\n[![License](https://img.shields.io/badge/license-MIT-blue?style=flat-square)](./LICENSE)\n\n**[Quick start](#quick-start)** · **[Sample output](#sample-output)** · **[Skill modules](#skill-modules)** · **[Contributing](#contributing)**\n\n\u003c/div\u003e\n\n---\n\n\u003ch2 id=\"quick-start\"\u003e🚀 Quick start\u003c/h2\u003e\n\n1. Copy [`skill/`](./skill/) into your project (or clone/submodule this repo).\n2. Point your agent host at [`skill/`](./skill/) — or open [`skill/SKILL.md`](./skill/SKILL.md) and read `references/` in order; no tooling required.\n3. Run a review:\n\n```text\nLoad the AppSec skill, then analyze path/to/file.py for security vulnerabilities.\n```\n\nFor a whole tree, swap in `all source files under path/to/project/`.\n\n\u003ch2 id=\"why-appsec-skill\"\u003e🎯 Why AppSec Skill\u003c/h2\u003e\n\nOne-shot “check my code for security” prompts tend to miss classes, hallucinate line numbers, and return inconsistent reports. AppSec Skill encodes a **repeatable** review pipeline:\n\n- **Grounded findings** — cite evidence; mark uncertainty explicitly.\n- **Structured coverage** — methodology, OWASP/CWE-oriented classes, language traps, and crypto checks.\n- **Actionable output** — one stable finding schema plus remediation patterns you can diff in Git.\n\nWorks with any host that loads **[Open Agent Skills](https://openagentskills.dev/docs/specification)**-shaped content ([`SKILL.md`](./skill/SKILL.md) + numbered [`references/`](./skill/references/)). Plain Markdown — no bundled runtime.\n\n\u003ch2 id=\"how-it-works\"\u003e🧭 How it works\u003c/h2\u003e\n\nThe agent loads [`skill/SKILL.md`](./skill/SKILL.md), reads the reference chain **before** application code, then delivers a prioritized report.\n\n```mermaid\nflowchart TD\n  A[Load skill/SKILL.md] --\u003e B[Build review plan\u003cbr/\u003e01-methodology]\n  A --\u003e C[Set constraints\u003cbr/\u003e00-identity]\n\n  B --\u003e D[Analyze target source code]\n  C --\u003e D\n\n  D --\u003e E[Classify findings\u003cbr/\u003e02-vulnerability-classes]\n  D --\u003e F[Apply language checks\u003cbr/\u003e03-language-specific]\n  D --\u003e G[Apply crypto checks\u003cbr/\u003e04-cryptography]\n\n  E --\u003e H[Normalize into schema\u003cbr/\u003e05-output-format]\n  F --\u003e H\n  G --\u003e H\n\n  H --\u003e I[Propose concrete fixes\u003cbr/\u003e06-remediation]\n  I --\u003e J[Deliver prioritized report]\n```\n\n\u003ch2 id=\"sample-output\"\u003e👀 Sample output\u003c/h2\u003e\n\nFindings follow [`05-output-format.md`](./skill/references/05-output-format.md) — stable IDs, CWE/OWASP mapping, and SARIF-friendly fields. Real reviews must include every required field; the example below is truncated.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eExample finding (illustrative)\u003c/strong\u003e\u003c/summary\u003e\n\n**Finding 1: SQL Injection** · `APPSEC-3f1a92c4e0b1` · `app/db.py:12–14` · **HIGH** / P1 · CWE-89\n\n```python\nquery = f\"SELECT * FROM users WHERE id = '{user_id}'\"\ncur.execute(query)\n```\n\nUser-controlled `user_id` is interpolated into raw SQL. Use parameterized queries or bound parameters from your stack.\n\n\u003c/details\u003e\n\n\u003ch2 id=\"skill-modules\"\u003e📚 Skill modules\u003c/h2\u003e\n\n| # | Reference | Covers |\n|--:|-----------|--------|\n| 00 | [`00-identity.md`](./skill/references/00-identity.md) | Mindset, scope, hard rules |\n| 01 | [`01-methodology.md`](./skill/references/01-methodology.md) | Three-pass review |\n| 02 | [`02-vulnerability-classes.md`](./skill/references/02-vulnerability-classes.md) | Catalog + detection notes |\n| 03 | [`03-language-specific.md`](./skill/references/03-language-specific.md) | Language traps |\n| 04 | [`04-cryptography.md`](./skill/references/04-cryptography.md) | Crypto checks |\n| 05 | [`05-output-format.md`](./skill/references/05-output-format.md) | Finding schema |\n| 06 | [`06-remediation.md`](./skill/references/06-remediation.md) | Fix patterns |\n\n**Host setup:** discovery paths vary by product (project `.cursor/skills`, user-level dirs, Claude Code bundles, etc.). See your host’s docs — e.g. Cursor’s [Agent Skills](https://cursor.com/docs/skills) guide. Examples only, not exhaustive: **Cursor**, **Claude Code**, **Kiro**, and similar loaders may ingest [`skill/`](./skill/) unchanged once discovery matches.\n\n\u003ch2 id=\"contributing\"\u003e🤝 Contributing\u003c/h2\u003e\n\nImprovements to skills or docs are welcome — **small, focused PRs** make security-sensitive wording easier to review. See [`CONTRIBUTING.md`](./CONTRIBUTING.md).\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e🛠️ Maintainers · evaluation harness\u003c/strong\u003e\u003c/summary\u003e\n\nOptional regression for **`skill/`**: scripted **Findings → Scoring** over blind challenges **01–30** via **Claude Code**. Protocol: [`.cursor/skills/benchmark/SKILL.md`](./.cursor/skills/benchmark/SKILL.md). Details: [`CONTRIBUTING.md`](./CONTRIBUTING.md).\n\n**Submodules** (initialize after clone):\n\n```bash\ngit submodule update --init benchmark/challenges benchmark/synthetics\n```\n\n| Path | Upstream |\n|:-----|:---------|\n| [`benchmark/challenges/`](./benchmark/challenges/) | [dub-flow/secure-code-review-challenges](https://github.com/dub-flow/secure-code-review-challenges) |\n| [`benchmark/synthetics/`](./benchmark/synthetics/) | [secure-code-review-fixtures](https://github.com/joshuaporth/secure-code-review-fixtures) |\n\n```bash\n./benchmark/findings.sh --start 1 --end 5 --parallel 5 --model sonnet\n./benchmark/scoring.sh --start 1 --end 5 --parallel 5 --model sonnet\n```\n\n\u003c/details\u003e\n\n\u003ch2 id=\"license\"\u003e📄 License\u003c/h2\u003e\n\n[MIT License](./LICENSE).\n\n\u003cdiv align=\"center\"\u003e\n\n**[⬆ Back to top](#readme-top)**\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshuaporth%2Fappsec-skill","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoshuaporth%2Fappsec-skill","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshuaporth%2Fappsec-skill/lists"}