Secure Fix Validation
When to use
Use this skill after implementing a security fix, or when reviewing a PR.
Inputs to collect (if available)
- •Vulnerability description and expected secure behavior
- •Repro steps (request, payload, or test)
- •Affected components and entry points
- •Deployment/rollout constraints (feature flags, backwards compatibility)
Step-by-step process
- •Reproduce the issue pre-fix
- •Minimal failing test or request example
- •Verify the fix
- •Confirm the repro now fails safely
- •Regression coverage
- •Add unit/integration tests for:
- •expected valid inputs
- •malicious/edge inputs
- •authorization bypass attempts (if relevant)
- •Add unit/integration tests for:
- •Non-functional checks
- •Error handling (no stack traces/secret leakage)
- •Logging redaction (no PII/secrets)
- •Performance impact in hot paths
- •Rollout safety
- •Feature flags where appropriate
- •Backwards compatibility notes
- •Monitoring/alerts to detect new failure modes
Output
- •Commands run
- •Tests added/updated
- •Verification evidence (logs/screenshots/snippets)
- •Rollout notes
Output format
- •Repro (pre-fix): how it failed
- •Verification (post-fix): what now happens
- •Tests: added/updated + what they cover
- •Evidence: logs/screenshots/snippets (redacted)
- •Rollout notes: monitoring, flags, compatibility
Examples
- •“Fix: block IDOR on /users/:id” → add negative test for cross-user access; verify 403 and tenant scoping on DB query.