Security & Review Skills

CLI-JAW provides a suite of security analysis and code review skills that detect vulnerabilities, enforce best practices, model threats, and streamline peer review -- all from natural language commands.

Skill Overview

Static Analysis

The static-analysis skill performs multi-language static analysis by combining AST-level inspection with pattern matching. It detects SQL injection vectors, XSS sinks, path traversal patterns, insecure deserialization, and more.

# Run static analysis on the entire project
보안 취약점 검사해줘

# Target a specific directory
src/api 디렉토리만 정적 분석해줘

# Focus on a specific vulnerability class
SQL 인젝션 취약점만 찾아줘

Results are grouped by severity (Critical, High, Medium, Low) with file locations, line numbers, and remediation suggestions.

Insecure Defaults

The insecure-defaults skill checks your project for dangerous default configurations that often ship to production unnoticed.

# Scan for insecure defaults
기본값 보안 점검해줘

# Check only environment and config files
설정 파일 보안 검사해줘

Security Best Practices

The security-best-practices skill audits your project against established security standards and produces a structured compliance report.

# Full OWASP Top 10 audit
OWASP 기준으로 보안 점검해줘

# Language-specific best practices
Python 보안 베스트 프랙티스 체크해줘

# Generate a compliance report
보안 컴플라이언스 리포트 만들어줘

The audit covers:

• Input validation -- Injection prevention, parameterized queries, input sanitization
• Authentication & session management -- Secure token storage, session expiry, MFA support
• Access control -- Role-based checks, privilege escalation vectors
• Data protection -- Encryption at rest and in transit, PII handling, logging hygiene
• Error handling -- Information leakage through error messages, stack trace exposure
• Dependency management -- Outdated packages, known CVEs, supply chain risks

Security Ownership Map

The security-ownership-map skill analyzes git history and project structure to generate a visual map of security-critical code ownership.

# Generate ownership map for security-critical paths
보안 소유권 맵 만들어줘

# Focus on authentication code ownership
인증 관련 코드 소유자 확인해줘

The map identifies:

• Auth modules -- Login flows, token generation, OAuth integrations
• Payment processing -- Billing logic, payment gateway integrations
• Cryptographic code -- Key management, encryption/decryption routines
• PII handling -- User data storage, export, and deletion paths
• Infrastructure config -- Dockerfile, CI/CD pipelines, deployment scripts

Each path is annotated with the primary owner (most recent and most frequent committer), review coverage percentage, and time since last security-focused review.

Threat Modeling

The security-threat-model skill builds a STRIDE-based threat model by analyzing your project's architecture, data flows, and external integrations.

# Generate a full threat model
위협 모델링 해줘

# Threat model for a specific feature
결제 기능 위협 모델 만들어줘

# Update an existing threat model after changes
위협 모델 업데이트해줘

Differential Review

The differential-review skill performs security-focused review on only the changed lines in a PR or working tree diff, catching regressions before they merge.

# Review the current diff for security issues
변경된 부분만 보안 리뷰해줘

# Review a specific PR
PR #42 보안 리뷰해줘

# Review staged changes before committing
커밋 전에 보안 검사해줘

The differential review focuses on:

• New vulnerability introduction -- Unsafe functions added, validation removed
• Security regression -- Previously hardened code weakened by the change
• Sensitive data exposure -- API keys, tokens, or credentials in the diff
• Permission changes -- Modified access control logic, new endpoints without auth
• Dependency changes -- New packages with known vulnerabilities

Code Review Workflows

CLI-JAW supports both sides of the code review process with dedicated skills.

Receiving Code Review

The receiving-code-review skill processes incoming review comments, triages them by severity, and generates actionable fix suggestions.

# Process review feedback on the current PR
코드 리뷰 피드백 정리해줘

# Triage and prioritize review comments
리뷰 코멘트 심각도별로 정리해줘

# Auto-generate fixes for review findings
리뷰 피드백 기반으로 수정 코드 생성해줘

Requesting Code Review

The requesting-code-review skill prepares a structured review request with context, risk annotations, and a reviewer checklist.

# Create a review request for the current changes
이 코드 리뷰 요청해줘

# Generate a review request with security focus
보안 관점에서 리뷰 요청 만들어줘

# Add a reviewer checklist to an existing PR
PR에 리뷰 체크리스트 추가해줘

The generated review request includes:

• Change summary -- What changed and why, with business context
• Risk areas -- Files and functions flagged for careful review
• Test coverage -- Which tests cover the changes, any gaps identified
• Reviewer checklist -- Specific items for the reviewer to verify
• Related issues -- Links to relevant tickets or previous discussions

Combining Skills

Security skills can be chained together for comprehensive analysis. CLI-JAW automatically detects when multiple skills apply and orchestrates them.

# Full security audit (combines multiple skills)
전체 보안 감사 해줘

# Pre-release security check
릴리즈 전 보안 점검해줘

# Onboarding security review for a new project
이 프로젝트 보안 상태 전체적으로 파악해줘

Configuration

Security skills respect project-level configuration in .jaw/security.yaml:

# .jaw/security.yaml
severity_threshold: medium    # Minimum severity to report (low|medium|high|critical)
ignore_paths:
  - "vendor/**"
  - "node_modules/**"
  - "**/*.test.ts"
owasp_profile: web            # web | api | mobile | desktop
custom_rules:
  - id: no-eval
    pattern: "eval("
    severity: critical
    message: "eval() is forbidden; use a safe parser instead"