Security: align with OWASP 2025 (supply chain, logging, info-leak, deserialization)#9
Open
mshykov wants to merge 1 commit into
Open
Security: align with OWASP 2025 (supply chain, logging, info-leak, deserialization)#9mshykov wants to merge 1 commit into
mshykov wants to merge 1 commit into
Conversation
…serialization) The existing Security and Data Privacy section covers the classic input-validation / secrets / encryption questions. OWASP's 2025 categorisation has elevated four other classes of issue that aren't currently prompted: - Supply-chain integrity (A06:2021 → expanded for 2025): pinned deps, committed lock files, verifiable provenance. Common attack vector (think SolarWinds, codecov bash uploader, ua-parser-js). - Security logging and monitoring failures (A09:2021 → A11 in 2025 drafts): without auth-event / access-denial / config-change logs, breach detection lags days-to-months. - Error / exception info leak: stack traces and partial secrets in user-visible errors are a recurring forensic finding. - Insecure deserialization (A08:2021): repeatedly tied to RCEs in the past five years (Log4Shell, Spring4Shell, etc.). Phrased as checklist questions matching the existing section's open-ended style. No reordering or removal of existing items.
Merged
4 tasks
mshykov
added a commit
to mshykov/local-review
that referenced
this pull request
May 6, 2026
…nts) (#41) Adds a top-level CHECKLIST.md publishing the same code-review rules that internal/prompts/packs/default.md operationalizes — but phrased for human reviewers, not LLM prompts. What's in it (~200 lines): - 11 sections (Correctness, Security, Performance, Maintainability, Error handling, Testing, Compat, UX/a11y, Ethics, Style, Specialist review) with `- [ ] question?` checkboxes throughout - OWASP 2025 alignment baked into Security (supply chain, info-leak, unsafe deserialization, security logging) — the four items I proposed upstream to mgreiler/code-review-checklist#9 - Severity tiers (critical/major/warning/info/nit) so reviewers know what's blocking vs informational - Concrete measurables (functions > 50 lines, nesting > 3 levels) alongside the open-ended questions - A "Specialist review needed?" prompt for high-risk diffs - Reviewer-behavior guidance (acknowledge good practices, ask clarifying questions, prefer one sharp finding over five vague) - Cross-link to local-review showing how to run the same rules automatically Why a separate file (not just a section in README): users searching "code review checklist" find a discrete artifact; teams can fork it into their internal wiki without the install instructions; the checklist evolves on its own cadence next to the prompt packs. Why in the local-review repo (not a separate repo, per challenge discussion): zero new maintenance surface, tightly coupled to the tool that implements it. Can graduate to a standalone repo later if it gets demand-pull traction. README: nav-bar link + a callout block above "What it is, what it isn't" so casual visitors find it within the first scroll. Landing page: new ".checklist-cta" section between Supported Languages and Installation. Light gradient tint so it reads as a deliberate call-out, distinct from the regular white sections but quieter than the dark Quick Start. Two CTAs: "Open the Checklist" (green primary, points at CHECKLIST.md on GitHub) and "Run it on your code" (secondary, points at the install section). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds four checklist questions to the Security and Data Privacy section, aligned with categories OWASP has elevated in its 2021 → 2025 evolution that aren't currently prompted by the checklist.
Why
The existing section covers the classic injection / secrets / encryption questions well. The four additions cover failure modes that have driven major incidents in the past 5 years:
Style
Phrased as open-ended checklist questions matching the section's existing tone — no reordering or removal of existing items.
Diff
Opening as draft so you can request changes before I mark it ready. Happy to trim or split if any item doesn't fit your scope.