Skip to content

Sans review n validate#14

Open
jeremychoi wants to merge 3 commits intoRedHatProductSecurity:mainfrom
jeremychoi:sans-review-n-validate
Open

Sans review n validate#14
jeremychoi wants to merge 3 commits intoRedHatProductSecurity:mainfrom
jeremychoi:sans-review-n-validate

Conversation

@jeremychoi
Copy link
Copy Markdown
Member

@jeremychoi jeremychoi commented Apr 22, 2026

This PR broadens secdevai-review for native/systems code, introduces a dedicated secdevai-validate skill for calibrated findings, and tightens the review flow by delegating validation and export instead of inlining them.

Changes

  • Non-web security review — Adds native/systems coverage (C, C++, Rust) with a new cwe-top25-native.context aligned to CWE/SANS Top 25 (memory safety, integer overflow, null deref, races, format strings, hardening).
  • Review skill updates — secdevai-review gains native-code auto-detection, language-adapted examples, and a validation step to cut false positives.
  • New secdevai-validate skill — Centralizes validation of findings (working as a separate agent): exploitability checks, severity calibration, and CVSS v3.1 base analysis
  • Refactor — Removes inline validation from review; optional export path delegates to secdevai-export instead of duplicating export logic.

@jeremychoi
feat(review): extend security review to non-web code with CWE/SANS To…
7c31ec3 
…p 25

Add native/systems code support (C, C++, Rust) alongside existing
OWASP Top 10 web patterns. New cwe-top25-native.context covers memory
safety (CWE-787, 416, 125, 119), integer overflow (CWE-190), null
deref (CWE-476), race conditions (CWE-362), format strings, and
compiler hardening checks. SKILL.md gains auto-detection for native
code, a subagent validation step (Step 5.5) to reduce false positives,
and C/C++/Rust language adaptation examples.
@jeremychoi
refactor(review): delegate validation to secdevai-validate, export to…
75c7f70 
… secdevai-export

Replace inline validation logic with delegation to secdevai-validate skill
(CVSS scoring, Red Hat severity, exploitability checks). Replace inline
export code with optional user prompt that delegates to secdevai-export.
@jeremychoi
feat(validate): add secdevai-validate skill for exploitability and CV…
a3fc2df 
…SS analysis

Extract inline finding validation from secdevai-review into a dedicated
secdevai-validate skill. The new skill checks exploitability, calibrates
severity against Red Hat's classification, and produces CVSS v3.1 base
score analysis per finding. secdevai-review now delegates to this skill
via subagent and reports only validated, exploitable findings.
@owatkins-redhat
Copy link
Copy Markdown
Collaborator

owatkins-redhat commented Apr 22, 2026

This looks great

owatkins-redhat
owatkins-redhat reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@owatkins-redhat owatkins-redhat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@owatkins-redhat owatkins-redhat owatkins-redhat left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremychoi @owatkins-redhat