github-security-review

MaTriXy/github-review-skill

Analyze GitHub repository security alerts and generate remediation plans. Use when the user asks to review security alerts, fix vulnerabilities, check dependabot alerts, review code scanning issues, or address secret scanning findings for a GitHub repository. Triggers on requests mentioning GitHub security, repo security review, vulnerability remediation, or security audit.

1 stars

0 forks

Python

21 views

View on GitHub Add to Favorites

SKILL.md

name: github-security-review description: Analyze GitHub repository security alerts and generate remediation plans. Use when the user asks to review security alerts, fix vulnerabilities, check dependabot alerts, review code scanning issues, or address secret scanning findings for a GitHub repository. Triggers on requests mentioning GitHub security, repo security review, vulnerability remediation, or security audit.

GitHub Security Review

Analyze GitHub security alerts (Code Scanning, Dependabot, Secret Scanning) and generate actionable remediation plans with specific code fixes.

Prerequisites

Requires gh CLI and jq. Verify before running:

gh auth status  # Must be authenticated
jq --version    # Must be installed

If gh not installed: https://cli.github.com/ If gh not authenticated: gh auth login If jq not installed: brew install jq / apt install jq

Workflow

When a user asks to review security for a repository, follow these steps:

Step 1: Verify Prerequisites

gh auth status
jq --version

Step 2: Fetch Security Data

Run the fetch script to get all security alerts as JSON:

./scripts/fetch.sh <owner/repo> | python3 scripts/analyze.py --json

Use --json output so you can analyze the raw data yourself.

Step 3: Analyze and Provide Remediation

After getting the JSON data, you must analyze each issue and provide specific remediation:

For Dependabot Alerts:

Identify the vulnerable packages and versions
Check what the patched version is
Provide the exact upgrade command for the ecosystem
If it's a major version upgrade, warn about potential breaking changes
Offer to check the package changelog for migration notes

For Code Scanning Alerts:

Read the affected files at the reported line numbers
Understand the security issue (SQL injection, XSS, etc.)
Provide a specific code fix - not generic advice
Explain why the current code is vulnerable
Show the corrected code that resolves the issue

For Secret Scanning Alerts:

Identify the type of secret exposed
Provide service-specific rotation instructions:
- AWS keys: Use IAM console to rotate, update ~/.aws/credentials
- GitHub tokens: Settings → Developer settings → Revoke and regenerate
- API keys: Go to the service's dashboard to rotate
Help remove the secret from git history if needed
Suggest using environment variables or a secrets manager

Step 4: Generate Actionable Report

Present findings in this format:

# Security Review: {repository}

## Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| ... | ... | ... | ... | ... |

## Critical Issues (Fix Immediately)

### Issue 1: {vulnerability name}
**File:** `path/to/file.js:42`
**Severity:** Critical
**Problem:** {explain the vulnerability}

**Current vulnerable code:**
```{language}
// the actual code from the file

Fixed code:

// your corrected version

Why this fixes it: {explanation}

High Priority Issues

...

Recommended Actions

{specific action with command}
{specific action with command} ...


## Important Guidelines

1. **Always read the actual source files** before suggesting fixes for code scanning issues
2. **Provide copy-paste ready commands** for dependency updates
3. **Prioritize by severity** - Critical and High first
4. **Explain the risk** of each vulnerability in plain terms
5. **Offer to apply fixes** if the user wants you to edit the files directly
6. **Check for breaking changes** when suggesting major version upgrades

## Error Handling

If fetch.sh returns empty arrays `[]` for an alert type:
- Feature may not be enabled for this repo → Enable in repo Settings > Security
- Insufficient permissions → User needs Security alerts read access
- No alerts exist (good news!)

## Example Interaction

**User:** "Review security for my-org/my-repo"

**You should:**
1. Run `./scripts/fetch.sh my-org/my-repo | python3 scripts/analyze.py --json`
2. Parse the JSON output
3. For each vulnerability:
   - Read the affected file if it's a code issue
   - Provide specific fix with actual code
4. Present prioritized remediation plan
5. Ask: "Would you like me to apply any of these fixes?"

README

GitHub Security Review Skill

A Claude Code skill that analyzes GitHub security alerts and generates actionable remediation plans.

What It Does

When you ask Claude to review security for a GitHub repository, this skill:

Fetches alerts from Code Scanning, Dependabot, and Secret Scanning
Analyzes each vulnerability and reads affected source files
Provides specific fixes - actual code changes, not generic advice
Offers to apply the fixes directly to your codebase

Usage in Claude

Simply ask Claude to review security for any GitHub repository:

Review security alerts for facebook/react

Check the dependabot alerts on https://github.com/owner/repo

What security vulnerabilities exist in my-org/my-repo?

Run a security audit on this repository

Claude will automatically trigger this skill and generate a prioritized remediation plan.

Installation

1. Install Prerequisites

Tool	Install
`gh`	`brew install gh`
`jq`	`brew install jq`

# Authenticate with GitHub
gh auth login

# Verify
gh auth status

2. Add the Skill to Claude Code

Copy the SKILL.md and scripts/ folder to your Claude Code skills directory:

# Clone this repository
git clone https://github.com/MaTriXy/github-review-skill.git

# Copy to your Claude Code skills location
cp -r github-review-skill ~/.claude/skills/github-security-review

Or add it directly to a project's .claude/skills/ directory.

How It Works

User: "Review security for owner/repo"
                    │
                    ▼
           Claude triggers skill
                    │
                    ▼
┌──────────────────────────────────────────────────────────┐
│                      fetch.sh                            │
│  Fetches via gh CLI:                                     │
│  • /repos/{owner}/{repo}/code-scanning/alerts            │
│  • /repos/{owner}/{repo}/dependabot/alerts               │
│  • /repos/{owner}/{repo}/secret-scanning/alerts          │
└─────────────────────────┬────────────────────────────────┘
                          │ JSON
                          ▼
┌──────────────────────────────────────────────────────────┐
│                     analyze.py                           │
│  • Groups alerts by severity, rule, package              │
│  • Generates fix instructions per ecosystem              │
│  • Outputs markdown remediation plan                     │
└─────────────────────────┬────────────────────────────────┘
                          │
                          ▼
              Claude presents report to user

Sample Output

When you ask Claude to review a repository, you'll get:

# Security Review: owner/repo

## Summary
| Category        | Critical | High | Medium | Low |
|-----------------|----------|------|--------|-----|
| Code Scanning   | 0        | 2    | 5      | 3   |
| Dependabot      | 1        | 3    | 2      | 0   |
| Secret Scanning | -        | -    | -      | 2   |

## Critical Issues (Fix Immediately)

### Prototype Pollution in lodash
**Severity:** Critical
**Package:** lodash < 4.17.21

This vulnerability allows attackers to modify Object.prototype,
potentially leading to remote code execution.

**Fix:**
npm install [email protected]

---

### SQL Injection in user query
**File:** `src/api/users.js:42`
**Severity:** High

**Vulnerable code:**
const query = `SELECT * FROM users WHERE id = ${userId}`;

**Fixed code:**
const query = `SELECT * FROM users WHERE id = ?`;
db.query(query, [userId]);

**Why:** Using parameterized queries prevents SQL injection attacks.

---

## Recommended Actions
1. Run `npm install [email protected]`
2. Apply the SQL injection fix to src/api/users.js
3. Rotate the exposed AWS key (see Secret Scanning section)

Would you like me to apply any of these fixes?

Trigger Phrases

The skill activates when you mention:

"security alerts"
"dependabot alerts"
"code scanning"
"secret scanning"
"vulnerability"
"security review"
"security audit"

Troubleshooting

Issue	Solution
Empty results	Enable security features in repo Settings → Security
Auth errors	Run `gh auth login`
Permission denied	You need "Security alerts" read access on the repo

Limitations

Fetches up to 100 alerts per category (GitHub API limit)
Requires gh CLI authentication with access to the target repository
Repository must have GitHub security features enabled

License

MIT

Installation

Option 1: Use slash command in Claude Code

/install-skill https://github.com/MaTriXy/github-review-skill

Option 2: Clone to skills directory

# Global (all projects)

git clone https://github.com/MaTriXy/github-review-skill ~/.claude/skills/github-review-skill

# Project-specific

git clone https://github.com/MaTriXy/github-review-skill .claude/skills/github-review-skill

Add MCP server to .cursor/mcp.json:

{
  "mcpServers": {
    "skillz": {
      "command": "npx",
      "args": ["-y", "skillz-mcp", "https://github.com/MaTriXy/github-review-skill"]
    }
  }
}

Restart Cursor after adding the configuration.

Option 1: Use Gemini CLI command

gemini extensions install https://github.com/MaTriXy/github-review-skill

Option 2: Clone to extensions directory

git clone https://github.com/MaTriXy/github-review-skill ~/.gemini/extensions/github-review-skill