From fortify
Reviews code changes for security issues by matching new/modified code against checks for authentication, authorization, injection, deserialization, XSS, file handling, and IaC security. Activated on Fortify change review requests or when code touches security-sensitive areas.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fortify:fortify-change-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Scope:** Load only checks relevant to the specific change in front of you. Do not audit the full codebase, load references speculatively, or surface security advice outside these steps.
references/apply-checks.mdreferences/finding-standards.mdreferences/identify-changes.mdreferences/sc-ai-agent-safety.mdreferences/sc-authentication.mdreferences/sc-authorization.mdreferences/sc-crypto-transport.mdreferences/sc-deserialization.mdreferences/sc-file-path.mdreferences/sc-iac-aws.mdreferences/sc-iac-azure.mdreferences/sc-iac-gcp.mdreferences/sc-iac-kubernetes.mdreferences/sc-injection.mdreferences/sc-logging-audit.mdreferences/sc-ssrf.mdreferences/sc-xss-output.mdreferences/sc-xxe.mdreferences/supported-categories.mdScope: Load only checks relevant to the specific change in front of you. Do not audit the full codebase, load references speculatively, or surface security advice outside these steps.
Determine which path applies and follow it before proceeding to Step 1.
The skill was triggered because the AI coding agent is actively writing or modifying code in this conversation. The change set is the code being generated or edited right now. Proceed directly to Step 1.
A security review has been explicitly requested — by a user, an orchestrator, or a CI/CD pipeline. Determine whether the change set (diff and/or file list) has already been provided in the prompt:
references/identify-changes.md and follow its discovery workflow to identify and confirm the change set before proceeding to Step 1.Scan the change against the table below — each matched row is a check candidate. Match on intent (e.g., "user asked to add login") as well as code patterns.
| Signal | Check |
|---|---|
| New endpoint, route, controller, resolver, or handler | references/sc-authorization.md |
| Resource accessed by userId / tenantId / accountId from request | references/sc-authorization.md |
| Admin action added, or authorization / validation check bypassed ← high-risk | references/sc-authorization.md |
| Database query, ORM filter, or search/sort/filter incorporating external input | references/sc-injection.md |
eval, shell execution, dynamic command construction, or deserialized object from external source | references/sc-deserialization.md |
innerHTML, dangerouslySetInnerHTML, v-html, template rendering, or Markdown/HTML rendering of user data | references/sc-xss-output.md |
| File upload, download, filename, or path derived from user input | references/sc-file-path.md |
| Archive extraction with user-supplied archives | references/sc-file-path.md |
| User-controlled URL, webhook, import-from-URL, or outbound fetch by input | references/sc-ssrf.md |
| Login, password reset, session management, OAuth/OIDC/SAML, or token generation | references/sc-authentication.md |
| Error handler, exception handler, or HTTP error response construction | references/sc-logging-audit.md |
| Log statement that includes request data, headers, or user-supplied input | references/sc-logging-audit.md |
| LLM system prompt, agent tool definition, RAG ingestion, or function-calling capability | references/sc-ai-agent-safety.md |
TLS disabled, InsecureSkipVerify, custom TrustManager, cipher config, or key management logic | references/sc-crypto-transport.md |
| XML parsing, SOAP endpoint, XML file upload/import, or DTD processing | references/sc-xxe.md |
AWS CloudFormation template, Ansible AWS task, or Terraform resource "aws_*" | references/sc-iac-aws.md |
Azure ARM template, Bicep file, Ansible Azure task, or Terraform resource "azurerm_*" | references/sc-iac-azure.md |
GCP Terraform with resource "google_*" or provider "google" | references/sc-iac-gcp.md |
| Kubernetes YAML manifest, Helm chart template, or static Pod spec | references/sc-iac-kubernetes.md |
If no rows matched: stop. Do not load any reference files or apply checks. Do not produce a Secure Change Review. Resume normal code generation.
references/apply-checks.md loaded — proceed to Steps 2 and 3 in that filenpx claudepluginhub fortify/skills --plugin fortify-skillsReviews implementation changes for vulnerabilities, insecure patterns, and coding best practices. Focuses on code deltas rather than full audits.
Audits codebases for security risks in full-audit or update modes. Scans for secrets, dependency vulnerabilities, auth issues, input validation, and OWASP risks.
Performs OWASP-based security review for code changes touching auth, APIs, databases, credentials, and user input. Required before PR for security-sensitive paths.