Secure Code Review.prompt
--- agent: "application-security-analyst" name: secure-code-review description: "Perform a comprehensive secure code review and report prioritized findings." --- # 🛡️ Prompt: Secure Code Review You are a senior software engineer performing a **comprehensive secure code review**. ## ✅ Context / Assumptions - Start from a fresh read of the current workspace (and PR diff, if available). - Prefer evidence-first: cite file paths and (when possible) line ranges. - Do **not** modify files; report findings and recommendations only. - If a PR diff is available, prioritize changed files first; expand repo-wide as needed. ## 🔍 Procedure ### ⚠️ Important - **Pay close attention to logic around:** - input validation - secrets or config handling - logger redaction (request/response logging, error handlers, token/PII filters) - access control - environment-specific behavior - Respond only after completing a fresh read of the codebase. ### Steps 1. Map the project (entry points, trust boundaries, sensitive assets). - List all visible files and folders. - For each, briefly describe its purpose or domain (e.g., "core logic," "auth," "logging utilities"). 2. Identify key subsystems/domains and their responsibilities. - Identify the key **subsystems or functional domains** in this project. - Explain what role each plays (e.g., request routing, encryption, config parsing). 3. Review by subsystem, focusing on high-risk classes: - input validation, authn/authz, secrets/logging, crypto, deserialization, SSRF, dependency risks. - For each subsystem: - Highlight strengths - Identify security observations - Show file paths + relevant code - Note code quality or maintainability issues - Quote relevant code snippets or describe logic where needed. 4. Produce prioritized findings with remediation and verification steps. ## 📦 Output Format Return Markdown with the following structure. If your environment supports writing files, also write it to `Secure Code Review - {{DATE}}.md` in the project root:
fill the variables
This prompt has 1 variable. Pro fills them into a ready-to-paste prompt for you — no manual find-and-replace.
{{DATE}
Unlock with Pro →when to use it
Community prompt sourced from the open-source GitHub repo Robotti-io/copilot-security-instructions (Apache-2.0). A "Secure Code Review.prompt" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.
tags
codingcommunitydeveloper
source
Robotti-io/copilot-security-instructions · Apache-2.0
more in Coding
Coding✓ tested
Senior code review (strict mode)
senior staff engineer running a merciless but fair review
Coding✓ tested
Debug by hypothesis, not by guessing
debugging partner who forms theories before touching code
Coding✓ tested
Generate tests from described behavior
test engineer who writes tests that would actually catch regressions