Skip to main content

The Security Skills Workflow

When you run init, VibeReview stamps a security workflow into each target's skills directory. The workflow runs as a hard pre-write gate for any security-relevant coding task — it executes before the AI assistant writes code. The four skills run in order.

1. guardrails-selection

Shortlists the relevant project guardrails before any code is written. This pulls the repository-specific do's and don'ts that apply to the current change so the assistant builds on secure-by-code patterns.

2. threat-modelling

Produces a PWNISMS threat model across all seven categories for the task. This is the secure-by-design pass — the assistant reasons about what could go wrong with the feature before implementing it.

3. osv-dependency-scan

On-the-fly software composition analysis (SCA). Whenever a task adds, upgrades, or imports a third-party package, this skill scans the exact name@version against the public OSV.dev database before the dependency is introduced.

  • For HIGH/CRITICAL findings it auto-substitutes the recommended safe version, keeps building, flags the avoided vulnerability, and records it in telemetry.
  • It ships a zero-dependency Node scanner (osv-dependency-scan/scripts/osv-scan.mjs) and needs no API key.

4. vibereview-sync

Writes and syncs the structured JSON scan artifact for the task. Each avoided vulnerability is recorded as a supply-chain threats_mitigated row mapped to OWASP A06:2021, alongside an IDE-generated guardrail.

Approval gating

How intrusive the workflow is depends on the approval mode (set with --approval-mode at install or by the tenant default under MCP & Approval Mode):

ModeBehavior
autoApply guardrails silently.
criticalAsk before authentication / authorization / crypto / secrets changes.
alwaysAsk before every guardrail change.

In critical and always modes, guardrails in the critical categories are tagged requires_approval=true, so the assistant pauses for human confirmation.

Where the results go

Each run produces an event in .vibereview/scans/ that the CLI syncs to the web app. You can then inspect the threats mitigated, secure code snippets, best practices, and OWASP mappings on the project's Scans & Events screen.