Summary
This issue proposes adding a Security Code Review Agent skill to Project CodeGuard. While the existing software-security skill helps AI agents write secure code during generation, this new skill focuses on a different use case: performing comprehensive, end-to-end security reviews of entire codebases.
Motivation
Project CodeGuard provides excellent security rules that guide AI coding agents toward secure-by-default practices. However, there is currently no standardized methodology for using these rules to perform a full security audit of an existing repository.
A security code review agent skill would bridge this gap by defining:
- How to systematically load Project CodeGuard's core and OWASP rules
- How to discover, categorize, and prioritize files for review
- How to perform contextual security analysis (not just pattern matching)
- How to produce a structured, actionable security report
Proposed Changes
Add a new skill under skills/security-review/ containing:
-
SKILL.md -- Skill definition describing inputs, workflow, report requirements, and output format. References Project CodeGuard's sources/core/ and sources/owasp/ directories for rules.
-
Security_Code_Reviewer_Guidelines.md -- Comprehensive review methodology (~1,100 lines) covering:
- Prioritized rule-loading strategy optimized for AI agent context windows
- Systematic file discovery and risk-based categorization
- Parallel batch reading strategy for large codebases
- 11 priority vulnerability categories with detection criteria and examples
- True positive / false positive validation criteria
- Full report structure (executive summary, detailed findings with CWE references, remediation guidance, appendix)
- Anti-patterns that cause AI agents to produce incomplete reviews
How It Complements Existing Skills
| Aspect |
software-security skill |
security-review skill (proposed) |
| When |
During code generation |
After code is written |
| Scope |
Single file / function |
Entire repository |
| Output |
Secure code |
Security audit report |
| Rules used |
Context-specific rules |
All core + relevant OWASP rules |
Both skills reference the same Project CodeGuard rules but serve different stages of the development lifecycle.
Contribution Origin
This skill was developed at Cisco, building on Project CodeGuard's rules to operationalize them into a full security review workflow. We are contributing it to CoSAI to complement the existing framework.
Summary
This issue proposes adding a Security Code Review Agent skill to Project CodeGuard. While the existing
software-securityskill helps AI agents write secure code during generation, this new skill focuses on a different use case: performing comprehensive, end-to-end security reviews of entire codebases.Motivation
Project CodeGuard provides excellent security rules that guide AI coding agents toward secure-by-default practices. However, there is currently no standardized methodology for using these rules to perform a full security audit of an existing repository.
A security code review agent skill would bridge this gap by defining:
Proposed Changes
Add a new skill under
skills/security-review/containing:SKILL.md-- Skill definition describing inputs, workflow, report requirements, and output format. References Project CodeGuard'ssources/core/andsources/owasp/directories for rules.Security_Code_Reviewer_Guidelines.md-- Comprehensive review methodology (~1,100 lines) covering:How It Complements Existing Skills
software-securityskillsecurity-reviewskill (proposed)Both skills reference the same Project CodeGuard rules but serve different stages of the development lifecycle.
Contribution Origin
This skill was developed at Cisco, building on Project CodeGuard's rules to operationalize them into a full security review workflow. We are contributing it to CoSAI to complement the existing framework.