{"id":51237123,"url":"https://github.com/righettod/toolbox-ai-assisted-secure-code-review","last_synced_at":"2026-06-28T21:30:57.295Z","repository":{"id":367823335,"uuid":"1282439246","full_name":"righettod/toolbox-ai-assisted-secure-code-review","owner":"righettod","description":"Customized toolbox containing materials to perform a secure code review with the help of a coding assistant.","archived":false,"fork":false,"pushed_at":"2026-06-27T20:31:36.000Z","size":50,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-27T21:20:28.185Z","etag":null,"topics":["appsec","claude-code"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righettod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-27T19:16:54.000Z","updated_at":"2026-06-27T20:32:04.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/righettod/toolbox-ai-assisted-secure-code-review","commit_stats":null,"previous_names":["righettod/toolbox-ai-assisted-secure-code-review"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/righettod/toolbox-ai-assisted-secure-code-review","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-ai-assisted-secure-code-review","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-ai-assisted-secure-code-review/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-ai-assisted-secure-code-review/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-ai-assisted-secure-code-review/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righettod","download_url":"https://codeload.github.com/righettod/toolbox-ai-assisted-secure-code-review/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-ai-assisted-secure-code-review/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34905180,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-28T02:00:05.809Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","claude-code"],"created_at":"2026-06-28T21:30:54.982Z","updated_at":"2026-06-28T21:30:57.290Z","avatar_url":"https://github.com/righettod.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"![MadeWitVSCode](https://img.shields.io/static/v1?label=Made%20with\u0026message=VisualStudio%20Code\u0026color=blue\u0026?style=for-the-badge\u0026logo=visualstudio)\n\n# Description\n\n\u003e šŸ—ƒļø All *commands* are created as **skills** (Claude Code proprietary format, new format for the **commands**) and are stored into this [folder](.claude/skills).\n\nšŸ§‘ā€šŸ’» This folder contains coding assistant *commands* that I use to perform a secure code review.\n\nšŸ”¬ The idea is to:\n\n1. Learn how to leverage AI, via a coding assistant (claude code here), in the context of a secure code review activity.\n2. Define a process to perform a secure code review with the help of AI via a coding assistant.\n3. Allow me to learn how to create instructions for a coding assistant to help me during an secure code review activity.\n\n# Review process\n\nšŸ”¬ I imagined the following process against a codebase using claude code sessions:\n\nšŸ§‘ā€šŸ’» Intital steps into a claude code session **at the root folder of the codebase**:\n\n1. Start a new claude code session: *Important to isolate the processing from a context perspective*.\n2. Call the command [`codebase-overview`](#case-1-codebase-overview) to have a global visual overview of the risky sinks.\n\nšŸ§‘ā€šŸ’» For each module of the codebase into a claude code session **at the root folder of the module**, apply these steps:\n\n1. Scan the code with [SemGrep](https://github.com/semgrep/semgrep) to identify issues using a pattern-based approach: Goal is to identify issues not linked to a entry point, like for example, a deprecated algorithm used but not called from an entry point.\n2. Start a new claude code session: *Important to isolate the processing from a context perspective*.\n3. Call the command [`codebase-semgrep-findings-review`](#case-3-review-the-semgrep-scan-of-the-codebase) to filter false positive findings from the SemGrep scan results.\n4. Start a new claude code session: *Important to isolate the processing from a context perspective*.\n5. Call the command [`codebase-hotspots`](#case-2-codebase-hotspots) to identify entry point that leads to risk processing from a security perspective.\n6. Review and manually validate the result of step **3** + step **5**.\n\nāš ļø Important notes:\n\n* A approach **module by module** is used to speed-up the review.\n* The SemGrep scan is performed via this dedicated [toolbox](https://github.com/righettod/toolbox-codescan).\n\n# Origin of the creation of the skills based on different cases (context)\n\n## Case 1: Codebase overview\n\nšŸ¤” In this case, the context is that I received a codebase and I want to use claude code to give me the following overview:\n\n```text\nA visual overview of the information entry points and where the information land including the type of processing\nand if such processing can be risky from a security perspective.\n```\n\nšŸ“¦ User prompt is stored, as `claude code command`, into the file in the folder `.claude/skills/codebase-overview/` ([ref](.claude/skills/codebase-overview/SKILL.md)).\n\nšŸ¤– Use it via this instruction inside a claude code session: `/codebase-overview [RELATIVE_PATH_TO_CODEBASE]`.\n\nāœ… The generated Mermaid code was validated using the [Mermaid Live](https://mermaid.live/) editor to check its rendering, readability, and the effectiveness of the generated diagram. The Mermaid format was chosen because it is a text-based format; it can therefore be modified after generation if necessary or sent to an LLM for additional analysis rounds.\n\nā„¹ļø Forms legend:\n\n* **Hexagon** form represents a *entry* point.\n* **Rectangle** form represents a custom code *landing* points with a TAG to indicate the type of processing performed and colored if such processing can be risky from a security perspective.\n* **Circle** form represents a third-party library *landing* points and colored if processing performed can be risky from a security perspective.\n\nā„¹ļø Node label naming conventions is defined into the section **[Output rules](.claude/skills/codebase-overview/SKILL.md#output-rules)** section of the command file.\n\nšŸ”¬ Example of generated schema against the source code of [OWASP WebGoat](https://github.com/WebGoat/WebGoat) using the download of a zip archive of the *main* branch:\n\n```mermaid\nflowchart LR\n MAIN{{\"StartWebGoat#main\"}} --\u003e LIB_SB((\"Spring Boot\"))\n HH{{\"HammerHead#attack\"}} --\u003e P_SESSION[\"org.owasp.webgoat.container.session -- SESSION\"]:::med\n REG{{\"RegistrationController#registration\"}} --\u003e P_USERS[\"org.owasp.webgoat.container.users -- USER-MGMT -\u003e AUTHN\"]:::med\n REGO{{\"RegistrationController#registrationOAUTH\"}} --\u003e P_USERS\n RPT{{\"ReportCardController#reportCard\"}} --\u003e P_USERS\n MENU{{\"LessonMenuService#showLeftNav\"}} --\u003e P_USERS\n PROG{{\"LessonProgressService#lessonOverview\"}} --\u003e P_USERS\n RESTART{{\"RestartLessonService#restartLesson\"}} --\u003e LIB_FLYWAY((\"Flyway\")):::high\n ENVSVC{{\"EnvironmentService#homeDirectory\"}} --\u003e P_ENV[\"org.owasp.webgoat.container.service -- CONFIG-EXPOSURE\"]:::med\n LBLDBG{{\"LabelDebugService#setDebuggingStatus\"}} --\u003e P_ENV\n LBL{{\"LabelService#fetchLabels\"}} --\u003e P_I18N[\"org.owasp.webgoat.container.i18n -- METADATA/I18N\"]\n HINT{{\"HintService#getHints\"}} --\u003e P_I18N\n FS_IMP{{\"FileServer#importFile\"}} --\u003e LIB_FILE((\"java.io / java.nio (file I/O)\")):::high\n FS_GET{{\"FileServer#getFiles\"}} --\u003e LIB_FILE\n MAIL{{\"MailboxController#sendEmail\"}} --\u003e LIB_MAIL((\"Spring Mail\"))\n WJWT_D{{\"JWTController#decode\"}} --\u003e LIB_JJWT((\"io.jsonwebtoken (jjwt)\")):::med\n WJWT_E{{\"JWTController#encode\"}} --\u003e LIB_JJWT\n VERIFY{{\"VerifyAccount#completed\"}} --\u003e P_AUTHBYPASS[\"org.owasp.webgoat.lessons.authbypass -- AUTHN\"]:::med\n A1{{\"Assignment1#completed\"}} --\u003e P_CHAL[\"org.owasp.webgoat.lessons.challenges -- AUTHN -\u003e ACCOUNT-RECOVERY\"]:::med\n A7R{{\"Assignment7#resetPassword\"}} --\u003e P_CHAL\n A8V{{\"Assignment8#vote\"}} --\u003e P_CHAL\n IMG{{\"ImageServlet#logo\"}} --\u003e LIB_FILE\n A5{{\"Assignment5#login\"}} --\u003e LIB_JDBC((\"java.sql / JDBC\")):::high\n A7L{{\"Assignment7#sendPasswordResetLink\"}} --\u003e LIB_REST((\"Spring RestTemplate\")):::med\n ENC{{\"EncodingAssignment#completed\"}} --\u003e P_CRYPTO[\"org.owasp.webgoat.lessons.cryptography -- CRYPTO\"]:::med\n HMD5{{\"HashingAssignment#getMd5\"}} --\u003e LIB_CRYPTO((\"java.security / javax.crypto\")):::med\n HSHA{{\"HashingAssignment#getSha256\"}} --\u003e LIB_CRYPTO\n SDEF{{\"SecureDefaultsAssignment#completed\"}} --\u003e LIB_CRYPTO\n SIGN{{\"SigningAssignment#completed\"}} --\u003e LIB_CRYPTO\n SIGNK{{\"SigningAssignment#getPrivateKey\"}} --\u003e LIB_CRYPTO\n FR_R{{\"ForgedReviews#retrieveReviews\"}} --\u003e P_CSRF[\"org.owasp.webgoat.lessons.csrf -- CSRF/STATE-CHANGE\"]:::med\n FR_C{{\"ForgedReviews#createNewReview\"}} --\u003e P_CSRF\n DESER{{\"InsecureDeserializationTask#completed\"}} --\u003e LIB_OIS((\"java.io.ObjectInputStream\")):::high\n HIJACK{{\"HijackSessionAssignment#login\"}} --\u003e P_HIJACK[\"org.owasp.webgoat.lessons.hijacksession.cas -- AUTHN -\u003e SESSION\"]:::med\n IDOR_V{{\"IDORViewOtherProfile#completed\"}} --\u003e P_IDOR[\"org.owasp.webgoat.lessons.idor -- AUTHZ -\u003e ACCESS-CONTROL\"]:::med\n IDOR_E{{\"IDOREditOtherProfile#completed\"}} --\u003e P_IDOR\n IDOR_O{{\"IDORViewOwnProfile#invoke\"}} --\u003e P_IDOR\n IDOR_L{{\"IDORLogin#completed\"}} --\u003e P_IDOR\n INSLOG{{\"InsecureLoginTask#completed\"}} --\u003e P_INSLOG[\"org.owasp.webgoat.lessons.insecurelogin -- AUTHN\"]:::med\n JWT_DEC{{\"JWTDecodeEndpoint#decode\"}} --\u003e P_JWT[\"org.owasp.webgoat.lessons.jwt -- AUTHN -\u003e SESSION\"]:::med\n JWT_SK{{\"JWTSecretKeyEndpoint#login\"}} --\u003e LIB_JJWT\n JWT_RF{{\"JWTRefreshEndpoint#newToken\"}} --\u003e LIB_JJWT\n JWT_VT{{\"JWTVotesEndpoint#vote\"}} --\u003e LIB_JJWT\n JWT_JKU{{\"JWTHeaderJKUEndpoint#resetVotes\"}} --\u003e LIB_AUTH0((\"com.auth0.jwt\")):::med\n JWT_KID{{\"JWTHeaderKIDEndpoint#resetVotes\"}} --\u003e LIB_JDBC\n JWT_KID --\u003e LIB_JJWT\n LOGSP{{\"LogSpoofingTask#completed\"}} --\u003e P_LOG[\"org.owasp.webgoat.lessons.logging -- LOG-INJECTION\"]\n LOGBL{{\"LogBleedingTask#completed\"}} --\u003e LIB_SLF4J((\"slf4j\"))\n MAC_L{{\"MissingFunctionACUsers#listUsers\"}} --\u003e P_MAC[\"org.owasp.webgoat.lessons.missingac -- AUTHZ -\u003e ACCESS-CONTROL\"]:::med\n MAC_S{{\"MissingFunctionACUsers#usersService\"}} --\u003e LIB_JDBC\n MAC_A{{\"MissingFunctionACUsers#addUser\"}} --\u003e LIB_JDBC\n MAC_H{{\"MissingFunctionACHiddenMenus#completed\"}} --\u003e P_MAC\n OR1{{\"OpenRedirectTask1#simulate\"}} --\u003e P_REDIR[\"org.owasp.webgoat.lessons.openredirect -- REDIRECT\"]:::med\n OR4{{\"OpenRedirectTask4#doubleDecode\"}} --\u003e P_REDIR\n ORR{{\"OpenRedirectRealRedirect#real\"}} --\u003e P_REDIR\n PWL{{\"ResetLinkAssignment#login\"}} --\u003e P_PWR[\"org.owasp.webgoat.lessons.passwordreset -- ACCOUNT-RECOVERY\"]:::med\n PWC{{\"ResetLinkAssignment#changePassword\"}} --\u003e P_PWR\n PWQ{{\"SecurityQuestionAssignment#completed\"}} --\u003e P_PWR\n PWSML{{\"SimpleMailAssignment#login\"}} --\u003e P_PWR\n PWSEND{{\"ResetLinkAssignmentForgotPassword#sendPasswordResetLink\"}} --\u003e LIB_REST\n PU_UP{{\"ProfileUpload#uploadFileHandler\"}} --\u003e LIB_FILE\n PU_GET{{\"ProfileUpload#getProfilePicture\"}} --\u003e LIB_FILE\n PUF_UP{{\"ProfileUploadFix#uploadFileHandler\"}} --\u003e LIB_FILE\n PUR_GET{{\"ProfileUploadRetrieval#getProfilePicture\"}} --\u003e LIB_FILE\n PZ_UP{{\"ProfileZipSlip#uploadFileHandler\"}} --\u003e LIB_ZIP((\"java.util.zip\")):::high\n PZ_GET{{\"ProfileZipSlip#getProfilePicture\"}} --\u003e LIB_FILE\n SECPW{{\"SecurePasswordsAssignment#completed\"}} --\u003e LIB_ZXCVBN((\"Zxcvbn\"))\n ACT_E{{\"ActuatorExposureTask#actuatorEnv\"}} --\u003e P_SECMC[\"org.owasp.webgoat.lessons.securitymisconfiguration -- CONFIG-EXPOSURE\"]:::med\n ACT_K{{\"ActuatorExposureTask#submitApiKey\"}} --\u003e P_SECMC\n SPOOF{{\"SpoofCookieAssignment#login\"}} --\u003e P_SPOOF[\"org.owasp.webgoat.lessons.spoofcookie -- SESSION -\u003e CRYPTO\"]:::med\n SQL2{{\"SqlInjectionLesson2#completed\"}} --\u003e LIB_JDBC\n SQL5{{\"SqlInjectionLesson5#completed\"}} --\u003e LIB_JDBC\n SQL8{{\"SqlInjectionLesson8#completed\"}} --\u003e LIB_JDBC\n SQL10{{\"SqlInjectionLesson10#completed\"}} --\u003e LIB_JDBC\n SQL13{{\"SqlInjectionLesson13#completed\"}} --\u003e LIB_JDBC\n SQLC{{\"SqlInjectionChallenge#registerNewUser\"}} --\u003e LIB_JDBC\n SQLCL{{\"SqlInjectionChallengeLogin#login\"}} --\u003e LIB_JDBC\n SQL6A{{\"SqlInjectionLesson6a#completed\"}} --\u003e LIB_JDBC\n SQLIV{{\"SqlOnlyInputValidation#attack\"}} --\u003e LIB_JDBC\n SQL10B{{\"SqlInjectionLesson10b#completed\"}} --\u003e LIB_JAVAC((\"javax.tools.JavaCompiler\")):::high\n VULN{{\"VulnerableComponentsLesson#completed\"}} --\u003e LIB_XSTREAM((\"XStream\")):::high\n XSS5{{\"CrossSiteScriptingLesson5a#completed\"}} --\u003e P_XSS[\"org.owasp.webgoat.lessons.xss -- XSS-SINK\"]\n XSS_ST{{\"StoredXssComments#retrieveComments\"}} --\u003e P_XSS\n XSS3{{\"CrossSiteScriptingLesson3#completed\"}} --\u003e LIB_JSOUP((\"Jsoup\"))\n XXE_S{{\"SimpleXXE#createNewComment\"}} --\u003e LIB_XML((\"javax.xml (StAX/XXE)\")):::high\n XXE_B{{\"BlindSendFileAssignment#addComment\"}} --\u003e LIB_XML\n XXE_C{{\"ContentTypeAssignment#createNewUser\"}} --\u003e LIB_XML\n XXE_R{{\"CommentsEndpoint#retrieveComments\"}} --\u003e P_XXE[\"org.owasp.webgoat.lessons.xxe -- XML-PARSE\"]:::high\n SSRF2{{\"SSRFTask2#completed\"}} --\u003e LIB_NET((\"java.net.URL\")):::high\n classDef high fill:#fdd,stroke:#c00,color:#900\n classDef med fill:#ffe9c7,stroke:#e08e00\n```\n\n## Case 2: Codebase hotspots\n\nšŸ¤” In this case, the context is that I received a codebase and I want to use claude code to give point to code that does risky processing from a security perspective (called **hotspot*).\n\nšŸ“¦ User prompt is stored, as `claude code command`, into the file in the folder `.claude/skills/codebase-hotspots/` ([ref](.claude/skills/codebase-hotspots/SKILL.md)).\n\nšŸ¤– Use it via this instruction inside a claude code session: `/codebase-hotspots [RELATIVE_PATH_TO_CODEBASE]`.\n\n## Case 3: Review the SemGrep scan of the codebase\n\nšŸ¤” In this case, I scanned the codebase with SemGrep to identify issues not linked to a entry point, like for example, a deprecated algorithm used but not called from an entry point.\n\nšŸ“¦ User prompt is stored, as `claude code command`, into the file in the folder `.claude/skills/codebase-semgrep-findings-review/` ([ref](.claude/skills/codebase-semgrep-findings-review/SKILL.md)).\n\nšŸ¤– Use it via this instruction inside a claude code session: `/codebase-semgrep-findings-review [PATH_TO_SEMGREP_REPORT] [RELATIVE_PATH_TO_CODEBASE] [MINIMUM_CONFIDENCE_LEVEL]`.\n\nšŸ’” `[MINIMUM_CONFIDENCE_LEVEL]`: Minimum confidence threshold for inclusion in output, accepted values are:\n\n* `CONFIRMED`: Only confirmed findings.\n* `PARTIAL`: Confirmed + needs-human-review findings.\n* Default: `PARTIAL` - `FALSE_POSITIVE` verdicts are always excluded from the findings list but are recorded in the summary table.\n\n# Compatibility note\n\nāš ļø The `SKILL.md` files use the **Claude Code skill format** (Anthropic proprietary) and cannot be validated with [`skills-ref`](https://pypi.org/project/skills-ref/) (`pip install skills-ref`), which enforces the [agentskills.io open specification](https://agentskills.io/specification). Claude Code-specific frontmatter fields (`argument-hint`, `disable-model-invocation`, etc.) are not allowed by that specification.\n\n# Install\n\nšŸ§‘ā€šŸ’» Copy the folder [.claude/skills](.claude/skills/) into the folder `.claude` of the project to review and use *commands* from a claude code session.\n\nšŸ’” The script [install.ps1](install.ps1) can be used too:\n\n```powershell\nirm https://raw.githubusercontent.com/righettod/toolbox-ai-assisted-secure-code-review/main/install.ps1 | iex\n```\n\n# References\n\n* \u003chttps://github.com/semgrep/semgrep\u003e\n* \u003chttps://en.wikipedia.org/wiki/Sink_(computing)\u003e\n* \u003chttps://breachforce.net/source-and-sinks\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-ai-assisted-secure-code-review","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighettod%2Ftoolbox-ai-assisted-secure-code-review","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-ai-assisted-secure-code-review/lists"}