feat: add security-review skill for AI-powered codebase vulnerability scanning

[Mrigank005]

Pull Request Checklist

• I have read and followed the CONTRIBUTING.md guidelines.
• I have read and followed the Guidance for submissions involving paid services.
• My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
• The file follows the required naming convention.
• The content is clearly structured and follows the example format.
• I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
• I have run npm start and verified that README.md is up to date.
• I am targeting the staged branch for this pull request.

---

Description

Adds a new security-review skill that performs comprehensive AI-powered security analysis of codebases. Unlike traditional SAST tools that rely on pattern matching, this skill reasons about code the way a human security researcher would — tracing how user-controlled input moves across files, understanding how components interact, and self-verifying each finding to filter false positives before surfacing them.

How it works:

The skill follows a structured 8-step workflow that mirrors how a professional security audit is conducted:

1. Scope Resolution — Detects languages and frameworks from dependency manifests
2. Dependency Audit — Checks installed packages against a curated CVE watchlist
3. Secrets Scan — Finds exposed credentials using regex patterns + entropy heuristics across 15+ providers (AWS, OpenAI, Stripe, GitHub, Slack, etc.)
4. Vulnerability Deep Scan — Reasons across the codebase for injection flaws, auth issues, weak cryptography, and business logic errors
5. Cross-File Data Flow Analysis — Traces user input from HTTP entry points to sinks across multiple files — catching vulnerabilities that only appear when looking at the full picture
6. Self-Verification Pass — Re-examines each finding to confirm exploitability and filter out false positives
7. Report Generation — Structured output grouped by severity (CRITICAL / HIGH / MEDIUM / LOW / INFO) with confidence ratings per finding
8. Patch Proposals — Concrete before/after code fixes for every CRITICAL and HIGH finding, presented for human review and approval — nothing is auto-applied

What it covers:

Category	Examples
Injection flaws	SQLi, XSS, command injection, SSRF, XXE, SSTI
Auth & access control	IDOR, JWT vulnerabilities, broken auth, CSRF, privilege escalation
Secrets exposure	API keys, tokens, private keys, connection strings, CI/CD credentials
Insecure dependencies	CVEs in npm, pip, Maven, Rubygems, Cargo, Go modules
Cryptography	Weak hashing (MD5/SHA1), bad randomness, insecure TLS, hardcoded IVs
Business logic	Race conditions, missing rate limits, integer overflow in financial math

Language support: JavaScript, TypeScript, Python, Java, PHP, Go, Ruby, Rust — with framework-specific patterns for Express, Django, Flask, FastAPI, Spring Boot, Rails, and more.

Bundled reference files (references/ — 5 files, ~988 lines total):

• vuln-categories.md — Deep detection guidance for every vulnerability type with vulnerable vs. safe code examples
• secret-patterns.md — Regex patterns and entropy heuristics for 15+ credential providers
• language-patterns.md — Framework-specific dangerous patterns per language
• vulnerable-packages.md — CVE watchlist with affected version ranges and safe upgrade targets
• report-format.md — Structured output template with severity ratings and patch proposal format

---

Type of Contribution

• New instruction file.
• New prompt file.
• New agent file.
• New plugin.
• New skill file.
• New agentic workflow.
• Update to existing instruction, prompt, agent, plugin, skill, or workflow.
• Other (please specify):

---

Additional Notes

This skill includes 5 reference files in references/ totaling ~988 lines of security detection guidance. All files are well under the 5MB asset limit. The skill has been validated with npm run skill:validate and the README has been regenerated with npm start.

---

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

[Copilot]

Pull request overview

Adds a new security-review skill under skills/ to guide AI-assisted, codebase-wide security auditing (dependencies, secrets, vuln categories, data-flow analysis) with bundled reference material and a standardized report template.

Changes:

• Introduces skills/security-review/SKILL.md defining an 8-step security review workflow and output rules.
• Adds bundled reference docs for language-specific patterns, secret patterns, vulnerability categories, a vulnerable package watchlist, and a report format template.
• Registers the new skill in docs/README.skills.md so it appears in generated skill documentation.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
skills/security-review/SKILL.md	Defines the skill’s workflow, severity guide, and how to use the bundled references.
skills/security-review/references/language-patterns.md	Adds language/framework-specific “things to flag” patterns.
skills/security-review/references/report-format.md	Provides a templated output format for /security-review reports.
skills/security-review/references/secret-patterns.md	Provides regex/heuristic guidance for credential and secret detection.
skills/security-review/references/vuln-categories.md	Provides detailed vulnerability category guidance and examples.
skills/security-review/references/vulnerable-packages.md	Provides a curated dependency watchlist and red-flag heuristics.
docs/README.skills.md	Adds the security-review entry to the skills index.

[Copilot]

In this “Patch Proposals” example, a fenced code block is opened earlier (line 130) and then another triple-backtick fence is started here for the JS snippet. Nested triple-backtick fences will break Markdown rendering (the inner fence will terminate the outer block). Consider using a different fence length for the outer block (e.g., quadruple backticks) or representing the inner snippets via indentation / alternative delimiters.

Suggested change

	```js
	// Line 47
	const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
	db.execute(query);
	```
	AFTER (fixed):
	```js
	// Line 47 — Fixed: Use parameterized query to prevent SQL injection
	const query = 'SELECT * FROM users WHERE id = ?';
	db.execute(query, [req.params.id]);
	```
	````js
	// Line 47
	const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
	db.execute(query);

AFTER (fixed):

// Line 47 — Fixed: Use parameterized query to prevent SQL injection
const query = 'SELECT * FROM users WHERE id = ?';
db.execute(query, [req.params.id]);

[Copilot]

This footer references ide-setup.md, but that file doesn’t exist under skills/security-review/ in this PR. Either add the referenced file or update the text to point to an existing doc so readers aren’t sent to a dead link.

Suggested change

	4. Set up automated re-scanning in CI/CD (see ide-setup.md)
	4. Set up automated re-scanning in CI/CD (see SKILL.md for setup details)

[Copilot]

Typo/inconsistent capitalization: “ReDos” should be “ReDoS” (regular expression denial of service).

Suggested change

	| fast-xml-parser | < 4.2.4 | ReDos | >= 4.2.4 |
	| fast-xml-parser | < 4.2.4 | ReDoS | >= 4.2.4 |