Security Review.prompt
---
name: support-security-review
description: "Security support prompt for assessing plans or diffs against policy, privacy, and threat-model requirements."
argument-hint: "Provide the code or feature to assess for security vulnerabilities"
model: ['Claude Opus 4.7 (copilot)', 'Claude Opus 4.6 (copilot)', 'Claude Sonnet 4.6 (copilot)']
agent: reviewer
tools: [todo, changes, read, search, githubRepo, web]
---
## Purpose
Guide the reviewer agent (security mode) through a structured review of the current plan or diff, ensuring risks, mitigations, and approvals are captured before the conductor proceeds.
## Instructions
- Start with a TODO fence (triple backticks, checkbox syntax) covering STRIDE categories, data handling, secrets, logging, and dependency risks.
- Load at least 2,000 surrounding lines for each relevant file to understand trust boundaries and existing safeguards.
- Use `changes` for diffs and `web` for referenced policies or advisories; cite sources with URLs and timestamps.
- Identify potential vulnerabilities, abuse cases, and compliance gaps. Classify findings by severity (`[BLOCKER]`, `[HIGH]`, `[MEDIUM]`, `[LOW]`).
- Recommend mitigations, compensating controls, and validation steps (tests, scans, audits). Note required approvals (e.g., privacy, legal, security sign-off).
- Escalate immediately if secrets or regulated data appear in the change.
## Output Format
Return Markdown with the following structure:
1. **Scope Snapshot** – summary of assets reviewed, assumptions, and threat surfaces.
2. **Findings** – table with columns `Severity`, `Area`, `Description`, `Mitigation`, `Owner`.
3. **Approvals & Dependencies** – list of required sign-offs, tickets, or follow-up reviews.
4. **Recommended Actions** – prioritized tasks for implementer/conductor, including validation steps.
5. **Verdict** – `APPROVED`, `NEEDS_MITIGATION`, or `FAILED`, plus suggested next handoff.
## Validation Checklist
- ✅ TODO fence reflects completed review checkpoints or clearly documented blockers.
- ✅ Every finding references a file/line or source link.
- ✅ Approvals and follow-up tasks include owners or escalation paths.
- ✅ No code edits or commands were executed; guidance only.when to use it
Community prompt sourced from the open-source GitHub repo kennedym-ds/copilot_orchestrator (MIT). A "Security Review.prompt" style prompt — adapt the placeholders and specifics to your task. Imported as-is and not independently retested here, so check the output before relying on it.
tags
productivitycommunitydeveloper
source
kennedym-ds/copilot_orchestrator · MIT
more in Productivity
Productivity✓ tested
Summarize a doc into decisions & actions
chief of staff who extracts what to DO, not just what was said
Productivity✓ tested
Draft a reply to a hard email
calm, direct communicator who de-escalates without caving
Productivity✓ tested
Turn a brain-dump into a weekly plan
planning coach who protects your focus, not just your calendar