DEV Community

Brandon
Brandon

Posted on

I added a Claude Code command that runs an OWASP security audit on any file before I ship it

Security reviews happen at the end of projects, when it is too late to change anything without pain. This command moves the review to whenever I am writing the code.

The command

Create .claude/commands/review-security.md:

Review the code I point to for security vulnerabilities. Check specifically for: SQL injection, XSS (cross-site scripting), CSRF, insecure direct object references, sensitive data in logs or responses, missing authentication/authorization checks, hardcoded secrets or API keys, dependency vulnerabilities. For each issue found: severity (Critical/High/Medium/Low), the CWE number, a description of the vulnerability, and the exact fix. Do not report false positives — only flag real issues. If something looks suspicious but is probably fine in context, skip it.
Enter fullscreen mode Exit fullscreen mode

The key instruction is "Do not report false positives." Without it, you get a wall of theoretical warnings that train you to ignore the output.

Example output

On a recent API route:

CRITICAL — CWE-89 (SQL Injection)
Line 34: db.query(SELECT * FROM users WHERE id =  + userId)
Fix: db.query(SELECT * FROM users WHERE id = ?, [userId])

HIGH — CWE-312 (Sensitive Data Exposure)
Line 67: Full user object returned including password_hash and salt.
Fix: Explicitly select only: id, email, display_name.
Enter fullscreen mode Exit fullscreen mode

Two real issues. No noise.

How to install

Create .claude/commands/review-security.md with the prompt above. Run /review-security in Claude Code, then point it at the file you want checked.


Full kit (75 commands + 10 CLAUDE.md templates + 8 hooks): Claude Code Power User Kit

Top comments (0)