Skill1.2k repo starsupdated today

security-scan-diff

security-scan-diff examines code changes between a specified git tag or commit and HEAD for malicious patterns including secret exfiltration, script injection, arbitrary code execution, command injection, and supply chain attacks. Use this skill when reviewing pull requests or commits that have not yet been merged to verify no malicious code has been introduced into CI/CD workflows, source code, or configuration files.

View source Repository: rulesync

Install in Claude Code

Copy

git clone --depth 1 https://github.com/dyoshikawa/rulesync /tmp/security-scan-diff && cp -r /tmp/security-scan-diff/.rulesync/skills/security-scan-diff ~/.claude/skills/security-scan-diff

Then start a new Claude Code session; the skill loads automatically.

Definition

SKILL.md

target_ref = $ARGUMENTS

If target_ref is not provided, ask the user which tag or commit to compare against HEAD.

## Overview

Thoroughly check for malicious code in the diff between `${target_ref}` and the latest commit (HEAD).

## Steps

1. Verify the target ref exists and get the diff scope.
   - Run `git log ${target_ref}..HEAD --oneline` to list commits.
   - Run `git diff ${target_ref}..HEAD --stat` to get file change statistics.
   - Categorize changed files into: CI/CD workflows, source code, and config/docs.

2. Execute the following security reviews in parallel using subagents:
   - Call security-reviewer subagent to review CI/CD and workflow files (`.github/`, `scripts/`) for:
     - Secret exfiltration
     - Script injection (`${{ github.event.* }}` direct expansion in `run:`)
     - Suspicious external URLs/API connections
     - Privilege escalation or token misuse
     - Malicious command execution (`curl | bash`, `eval`, base64 decode execution)
     - Supply chain attack patterns (suspicious npm packages, unsigned action references)
     - Dangerous `pull_request_target` usage

   - Call security-reviewer subagent to review source code files (`src/`) for:
     - Arbitrary code execution (`eval`, `Function` constructor, suspicious `child_process` usage)
     - Path traversal (`../..` directory escape)
     - Command injection (user input passed directly to shell commands)
     - Suspicious external communication (`fetch`, `http.request`, `axios` to external URLs)
     - Unauthorized filesystem operations
     - Credential/token leakage (hardcoded tokens, logging sensitive values)
     - Dependency tampering (suspicious `package.json` changes)
     - Backdoor patterns (obfuscated code, suspicious conditionals, hidden functionality)
     - Prototype pollution and deserialization vulnerabilities
     - Supply chain attacks (suspicious new dependency packages)

   - Call security-reviewer subagent to review config and documentation files for:
     - Suspicious dependencies or scripts in `package.json`
     - Suspicious registries or URLs in lockfiles
     - Security rule relaxation in config schemas or linter configs
     - Suspicious settings in devcontainer or editor configs
     - Phishing URLs in documentation
     - Malicious instructions in AI rule/subagent/skill definitions

3. Integrate the results from all subagents and produce a unified report in the following format:

   ```
   ## Security Review Report: ${target_ref} -> HEAD

   ### Conclusion
   - Whether malicious code was detected or not

   ### Check Results Summary Table
   | Check Item | Result |
   |------------|--------|
   | ... | ... |

   ### Findings (if any)
   | Severity | Description | File | Risk |
   |----------|-------------|------|------|
   | ... | ... | ... | ... |

   ### Recommendations (if any)
   - Actionable recommendations for each finding

   ### Positive Observations
   - Good security practices found in the diff
   ```