feat(agents): Security Code Review Agent — pre-PR security vulnerability reviewer #648
Description
Parent Issue
Part of #143 — 4 Code review agents before PR is opened
Overview
Create a specialized pre-PR code review agent that analyzes branch diffs only for security vulnerabilities. This agent identifies injection flaws, authentication/authorization gaps, secrets exposure, insecure deserialization, and OWASP patterns before the developer opens a pull request.
User Story
As a developer generating large volumes of code with HVE, I want a focused security review of my branch changes so that I catch vulnerabilities early — before involving reviewers in a PR — when context is fresh and fixes are small.
Requirements
Core Behavior
- The agent MUST only analyze the branch diff (changed files and lines), not the entire codebase.
- Issues are numbered and ordered by severity (Critical, High, Medium, Low).
- Each issue includes the file path, line numbers, the original code snippet, and a proposed fix.
Review Focus Areas
- Injection vulnerabilities (SQL, command, LDAP, XSS)
- Authentication and authorization gaps
- Secrets, credentials, or API keys in code
- Insecure deserialization
- Sensitive data exposure (logging PII, unmasked output)
- Missing input validation and sanitization
- Insecure cryptographic practices (weak algorithms, hardcoded keys)
- Path traversal and file inclusion risks
- CSRF, SSRF, and open redirect vulnerabilities
- OWASP Top 10 patterns
- OWASP LLM Top 10 (for AI/ML code)
- OWASP ML Security Top 10 (for ML systems)
Output Format
For each issue identified, provide feedback in this format:
## Issue {number}: [Brief descriptive title]
**Priority**: Critical/High/Medium/Low
**Category**: Injection | Auth | Secrets | Crypto | Data Exposure | Input Validation
**File**: `path/to/file`
**Lines**: 45-52
### Problem
[Specific description of the security vulnerability and its risk]
### Current Code
[Exact code from the diff that has the issue]
### Suggested Fix
[Exact replacement code that remediates the vulnerability]
Deliverables
- Agent definition file (
.agent.md) for the security code review agent - Agent placed in the
code-reviewercollection directory - Agent follows HVE Core conventions and prompt-builder standards
- Output format matches the numbered, severity-ordered issue template above
- Agent scoped to branch diff only — does not review unchanged code
Acceptance Criteria
- Agent produces numbered, severity-ordered security findings
- Each finding includes file path, line numbers, original code, and proposed fix
- Agent operates exclusively on branch diff content
- Agent covers OWASP Top 10, LLM Top 10, and ML Security Top 10 patterns
- Agent works in GitHub Copilot (
.github/agents/) - No breaking changes to existing agents or workflows
Related Issues
- feat(agents): 4 Code review agents before PR is opened #143 — Parent issue: 4 Code review agents before PR is opened
- feat(agents): Engineering Agents Integration #63 — Engineering Agents Integration epic
- feat(agents): Integrate Code Reviewer Agent for Security Validation During Development #93 — Code Reviewer Agent (closed, broader scope)
- feat: Reorganize agents, instructions, prompts, and skills into collection-based subdirectories #643 — Collection-based directory reorganization