AgentSkillsCN

Code Review

代码评审

SKILL.md

Code Review Skill

Slice: slices/code_review/ Type: Security Analysis

Purpose

Security-focused code review with OWASP Top 10 coverage. Use this skill when:

  • Code changes need security review before merge
  • Vulnerability scanning is required
  • Security audit documentation is needed

Quick Start

python
from features.agent_sdk.slices.code_review import (
    CodeReviewService,
    FindingCategory,
    ReviewTask,
)

service = CodeReviewService()
task = ReviewTask(
    paths=["src/api/", "src/auth/"],
    focus_areas=[FindingCategory.INJECTION, FindingCategory.AUTH],
)
result = await service.execute(task)

for finding in result.findings:
    print(f"[{finding.severity.value}] {finding.title} at {finding.file_path}:{finding.line_number}")

API Reference

CodeReviewService

MethodDescriptionReturns
execute(task)Execute security reviewReviewResult

Severity Levels

LevelDescriptionAction Required
CRITICALImmediate exploitation riskBlock merge
HIGHSignificant vulnerabilityFix before merge
MEDIUMModerate riskFix soon
LOWMinor issueFix when convenient
INFOInformationalNo action

Finding Categories (OWASP-aligned)

  • INJECTION: SQL, XSS, Command injection (A03:2021)
  • AUTH: Authentication/authorization issues (A07:2021) *
  • SECRETS: Exposed credentials (A02:2021)
  • VALIDATION: Input validation (A03:2021)
  • CRYPTO: Weak cryptography (A02:2021)
  • CONFIG: Security misconfig (A05:2021) *
  • DEPENDENCY: Vulnerable dependencies (A06:2021) *

* Categories marked with asterisk are placeholders for future implementation. Currently, pattern-based detection focuses on INJECTION, SECRETS, VALIDATION, and CRYPTO.

Pattern-Based Detection

The service uses regex patterns for common vulnerabilities:

PatternSeverityDescription
eval()CRITICALCode injection
shell=TrueHIGHCommand injection
Hardcoded secretsHIGHCredential exposure
md5()MEDIUMWeak hashing

Risk Score Calculation

  • CRITICAL: +10 points
  • HIGH: +5 points
  • MEDIUM: +2 points
  • LOW: +0.5 points

Score is normalized to 0-10 scale.

Integration

  • Pre-commit hook: Block commits with critical findings
  • CI/CD: Fail builds above risk threshold
  • PR Review: Auto-comment findings on PRs