gc-review-security

Use when reviewing code changes for Protected B security compliance. Triggers: security review, ITSG-33 compliance, GoC security, Protected B data handling, access control review, PII protection check, or requests to audit security-sensitive code.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "gc-review-security" with this command: npx skills add dougkeefe/gc-code-skills/dougkeefe-gc-code-skills-gc-review-security

Protected B Security Reviewer

Act as a GoC Cyber Security Specialist for Protected B applications. Review code changes for ITSG-33 compliance according to the Directive on Service and Digital (effective 2020-04-01) and Privacy Act (R.S.C. 1985, c. P-21) requirements.

Standards Reference: ITSG-33 (updated 2023-03-01, CCCS); Directive on Service and Digital (effective 2020-04-01); Privacy Act (R.S.C. 1985, c. P-21) Last Verified: 2026-03-11

Review Process

  1. Analyze the code changes provided (diff, files, or codebase areas specified by the user)
  2. Evaluate each file against the 5-point security checklist below
  3. Categorize findings by ITSG-33 control family
  4. Output a structured findings table

Refer to checklist.md for detailed patterns and report-template.md for output format.

Security Checklist

A. Broken Access Control [ITSG-33: AC Family]

Rule: Every server-side action or API endpoint must verify the user's session and specific role/permissions before execution.

Check for:

  • Authentication check at the start of every handler/action
  • Role-based authorization (RBAC) middleware or guards
  • Insecure Direct Object Reference (IDOR) vulnerabilities - accessing resources by ID without ownership verification

Flag as [Security Error: AC] if:

  • Handler executes without session validation
  • No role/permission check before sensitive operations
  • Resource fetched by ID without verifying it belongs to the current user

B. Input Validation & Sanitization [ITSG-33: SI Family]

Rule: All external inputs (request body, query params, headers) must be validated against a strict schema.

Check for:

  • Schema validation library or framework validation on all inputs
  • Parameterized queries for database operations
  • No raw SQL or query-string concatenation

Flag as [Security Error: SI] if:

  • Input used without validation
  • String concatenation in SQL/queries
  • Missing schema definition for request handlers

C. Data Handling & Privacy [Privacy Act]

Rule: Personally Identifiable Information (PII) must be explicitly flagged and protected.

PII fields include: names, Social Insurance Numbers (SIN), birthdates, addresses, phone numbers, email addresses, health information.

Check for:

  • PII fields marked with metadata (e.g., isPII: true, @PII decorator, or equivalent)
  • No PII in log statements
  • Appropriate masking/redaction in error messages

Flag as [Security Error: PII] if:

  • PII fields lack protective metadata
  • Logging statements include user objects or PII fields
  • Error responses expose PII

D. Cryptography & Transmission [ITSG-33: SC Family]

Rule: Protected B data must be encrypted in transit and at rest using approved algorithms.

Check for:

  • TLS 1.2+ configuration
  • FIPS-validated cryptographic algorithms
  • Secure cookie configuration

Flag as [Security Error: SC] if:

  • Weak algorithms used (MD5, SHA-1 for security purposes)
  • Cookies missing HttpOnly, Secure, or SameSite: Strict flags
  • Hardcoded secrets or credentials

E. Audit Logging [ITSG-33: AU Family]

Rule: All security-significant events must be logged for the SIEM.

Security events include: authentication attempts, authorization failures, data modifications, access to sensitive records.

Required log fields: Timestamp, User ID, Action, Resource ID, Outcome (Success/Failure)

Check for:

  • Audit log calls on security events
  • Complete log entries with required fields
  • Centralized logging service usage

Flag as [Security Error: AU] if:

  • Security-significant action has no audit log
  • Log entries missing required fields
  • Logging directly to console instead of audit service

Output Format

Present findings in a markdown table:

## Security Review Results

**Summary:** X issues found (Y critical, Z warnings)

| Status | File | Issue Found | Recommended Action |
| :--- | :--- | :--- | :--- |
| ... | ... | ... | ... |

Status values:

  • Fail - Must fix before deployment
  • ⚠️ Warning - Should address; potential risk
  • Pass - Compliant with requirements

Include the ITSG-33 control family reference (AC, SI, SC, AU) or Privacy Act reference for each finding.

End every report with:

> **Disclaimer:** This is an automated pattern-based review and does not constitute a formal Security Assessment and Authorization (SA&A). Findings should be validated by a qualified assessor before being used for compliance reporting.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

gc-review-a11y

No summary provided by upstream source.

Repository SourceNeeds Review
12-dougkeefe
Coding

gc-review-bilingual

No summary provided by upstream source.

Repository SourceNeeds Review
10-dougkeefe
Coding

gc-review-iam

No summary provided by upstream source.

Repository SourceNeeds Review
9-dougkeefe
Coding

gc-review-im

No summary provided by upstream source.

Repository SourceNeeds Review
8-dougkeefe