code-review-security-checks

Review code for SQL injection, command injection, path traversal, and hardcoded credentials before merge.

code-review-security-checks

Review code for SQL injection, command injection, path traversal, and hardcoded credentials before merge. Flag uses of eval() or exec() with external input. Verify no secrets are committed to source control.

Context

Security review is the last line of defense before code reaches production. Automated scanners catch known patterns but miss logic-level vulnerabilities that only a human reviewer can identify.

Antipattern

Rubber-stamping PRs without reading the diff. Approving code that passes CI without checking for security-sensitive patterns.

Rationale

The cost of catching a vulnerability in code review is orders of magnitude lower than catching it in production. OWASP Top 10 vulnerabilities are the most common attack vectors and the easiest to prevent with review discipline.

Use this skill

Option 1 — Claude Code plugin marketplace

Install directly from within Claude Code. Best for interactive use.

Step 1 — Add the brunnr marketplace (one-time):

/ plugin marketplace add Peleke/brunnr

Step 2 — Install the skill:

/ plugin install code-review-security-checks@brunnr-skills

Step 3 — Use it:

/ code-review-security-checks

Every skill in the brunnr marketplace passes a 7-class security scan before distribution. See Claude Code plugin docs for more on marketplaces.

Option 2 — brunnr CLI

Best for batch installs, CI pipelines, or managing skills across multiple projects.

Install brunnr (one-time):

$ uv tool install brunnr # recommended

$ pipx install brunnr # or pipx

$ pip install brunnr # or pip

Install the skill:

$ brunnr install code-review-security-checks

Writes to ./skills/code-review-security-checks/SKILL.md in your project — Claude Code auto-discovers it as a slash command. brunnr shows you the skill source for review before writing; use --yes to skip.