ipIterPrompt

Pre-Commit Security Check

A last-line security sweep your agent runs before every commit.

iterpromptUpdated 2026-06-203,110 copies

An agent skill that runs a focused security review before committing: secrets in the diff, injection risks in changed code, unsafe deserialization, and permission changes. Scoped to the diff so it's fast enough to run every time, not a full audit nobody runs.

SKILL.md

---
name: security-check
description: Security review of staged changes. Use before every commit that touches code.
---

# Pre-Commit Security Check

Before committing, review `git diff --staged` for these categories. Report findings with file:line and severity; block the commit on critical findings.

## 1. Secrets (critical — always block)

- API keys, tokens, passwords, private keys, connection strings in ANY staged file
- High-entropy strings assigned to suspicious names (key, secret, token, pwd)
- .env files or credential files being staged

## 2. Injection (in changed lines)

- SQL built by string concatenation/interpolation with external input
- Shell commands constructed from variables (`exec`, `system`, subprocess with shell=True)
- HTML rendered from user input without escaping (innerHTML, dangerouslySetInnerHTML, v-html)
- Path operations using user input without normalization (path traversal)

## 3. Data handling

- New logging of request bodies, tokens, or PII
- Unsafe deserialization of external data (pickle, eval, yaml.load without SafeLoader)
- Sensitive fields added to API responses that previously excluded them

## 4. AuthZ surface

- Route/endpoint additions: does each have an explicit auth check?
- Permission checks removed or loosened in the diff
- CORS, CSP, or cookie-flag changes

## Reporting

- Critical → refuse to commit; show the finding and the fix
- Warning → commit allowed, but list findings in the commit conversation
- Clean → say "security check: clean" in one line, don't pad

Scope discipline: review ONLY the staged diff plus enough context to judge it. This is a tripwire, not an audit.

How to use

  1. 1Save as .claude/skills/security-check/SKILL.md.
  2. 2The agent runs it automatically before commits; you can also invoke it on demand for any diff.
  3. 3Treat 'critical' blocks seriously — a leaked key in git history is a rotation incident even if you force-push over it.
  4. 4This complements (never replaces) your SAST tooling and human security review for sensitive areas.

Examples

Catching an interpolated SQL query

Input

Staged diff adds `db.query(f"SELECT * FROM users WHERE name = '{name}'")`.

Output

🔴 Critical — api/users.py:42 — SQL injection: `name` comes from the request path and is interpolated directly into the query. Fix: parameterized query `db.query("SELECT * FROM users WHERE name = %s", (name,))`. Commit blocked.

Pro tips

  • Add your org-specific rules (e.g. 'never log customer_id together with email') — the skill format makes policy executable.

Frequently asked questions

Will this slow down every commit?+

It reviews only the staged diff, so it adds seconds. The scope-discipline rule exists precisely to keep it fast enough that it actually runs every time.

Is an LLM check reliable enough for security?+

As one layer, yes — it catches the common, obvious-in-context issues (interpolated queries, logged tokens) that slip through when nobody looks. Keep secret-scanning hooks and SAST in CI as the systematic layers.

Related