Scan Pending Changes for Security Issues with /security-review
The /security-review command analyzes your uncommitted changes for security vulnerabilities before you push. It reads the current git diff and produces a report organized by severity, with specific line references and remediation suggestions.
/security-review
Claude reviews the diff for common risks including:
- User input passed directly to SQL queries, shell commands, or file paths
- JWT or session handling mistakes and weak token validation
- Missing authorization checks on new endpoints or routes
- API keys, credentials, or secrets accidentally staged for commit
- Missing input validation on newly added form fields or request bodies
- Unsafe use of
eval,exec, or similar constructs
Running /security-review before opening a PR catches vulnerabilities that automated linters miss, since Claude reasons about the intent of code and not just its syntax. A linter cannot tell you that a new route is missing an auth guard. Claude can.
Pair it with /diff to visually browse the changes Claude is reviewing, so you can correlate the report with specific edits:
/diff
# browse the changes, then:
/security-review
For large changesets, you can also describe a specific area of concern:
/security-review focus on the new file upload endpoint
Add /security-review to your pre-push checklist and catch issues before they reach code review.
Log in to leave a comment.
The SessionStart hook fires when any session begins or resumes, making it ideal for loading environment variables and running one-time setup scripts.
Ask Claude to write property-based tests for your functions using fast-check — it identifies the mathematical invariants in your code and generates tests that cover inputs you'd never enumerate by hand.
Give Claude your OpenAPI spec and ask for a handcrafted typed API client — clean method names, custom error handling, and TanStack Query hooks, without the ugly auto-gen output.