feat: add security-review skill

[Hnturk]

Add a new discipline-enforcing skill that ensures code is reviewed for security vulnerabilities before merging. Covers input validation, auth, data exposure, dependencies, and configuration with actionable checklists

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2de92d7 and 73fe9b7.

📒 Files selected for processing (1)

• skills/security-review/SKILL.md

---

📝 Walkthrough

Walkthrough

Adds a new security review skill document describing a security review checklist, deployment guardrails, the Hard Gate workflow, red flags, integration guidance, and process rules (Iron Law) for performing security reviews before merges.

Changes

Cohort / File(s)	Summary
Security Review Skill Guide skills/security-review/SKILL.md	Adds a new comprehensive Markdown guide covering deployment guardrails, the "Iron Law" (no merge without completing the checklist), applicability, a multi-category checklist (Input Validation, Authentication & Authorization, Data Exposure, Dependencies, Configuration), Hard Gate workflow, red flags/rationalizations, quick reference, integration notes, and common mistakes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I hopped through lines of guidance bright,
Checklist in paw, I guard the site,
Gates and flags keep danger small,
I thump once, twice — no merge at all! 🥕🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'feat: add security-review skill' accurately and clearly describes the main change: introduction of a new security-review skill documentation file.
Description check	✅ Passed	The pull request description directly relates to the changeset by explaining the purpose and content of the new security-review skill, including its focus areas and actionable checklists.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/security-review/SKILL.md`:
- Around line 18-20: Add language identifiers to the two fenced code blocks so
markdownlint MD040 is satisfied: for the block containing "NO MERGE WITHOUT
SECURITY CHECKLIST COMPLETION" and the block starting with "BEFORE claiming
merge-ready:" replace the opening triple backticks with triple backticks plus
"text" (i.e., ```text) so both fenced blocks explicitly declare the language.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4a2375 and 9d99bcf.

📒 Files selected for processing (1)

• skills/security-review/SKILL.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/security-review/SKILL.md`:
- Around line 26-30: Update the checklist under the "Always before:" heading in
SKILL.md to avoid blocking draft PRs: replace the list item "- Creating pull
requests" with a scoped requirement such as "- Marking a PR as merge-ready /
before final merge approval" (or similar wording) so the gate still enforces
checks prior to merge while allowing early/draft PRs for feedback; edit the
"Always before:" section and its list entry accordingly.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9d99bcf and 2de92d7.

📒 Files selected for processing (1)

• skills/security-review/SKILL.md

[arittr]

Thanks for the contribution. We now have #1151 tracking the security-review workflow proposal, plus newer PRs that explore the fuller requesting-security-review + reviewer-agent shape.

This PR predates that discussion and adds a standalone checklist-style security-review skill, which is not the direction we’d evaluate if we pursue this in core. Closing this so the security-review discussion stays consolidated on #1151 and the newer workflow-shaped proposals.