From 4ef3a6ef789402588b9a29948ae9dec88e18db13 Mon Sep 17 00:00:00 2001 From: Andrew Grigorev Date: Thu, 12 Mar 2026 12:54:37 +0200 Subject: [PATCH 1/6] security-review skill tends to put exact secret values to the report --- plugins/sentry-skills/skills/security-review/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/sentry-skills/skills/security-review/SKILL.md b/plugins/sentry-skills/skills/security-review/SKILL.md index 6a85366..a12eeb7 100644 --- a/plugins/sentry-skills/skills/security-review/SKILL.md +++ b/plugins/sentry-skills/skills/security-review/SKILL.md @@ -209,7 +209,7 @@ os.system(f"cmd {user_input}") # Command injection ### Always Flag (Secrets) ``` -password = "hardcoded" +password = "hardcoded" # but NEVER leak exact hardcoded secrets to the report! api_key = "sk-..." AWS_SECRET_ACCESS_KEY = "..." private_key = "-----BEGIN" From 816c313b7cdaf806e9d71d0ec6d3d814727d753c Mon Sep 17 00:00:00 2001 From: Andrew Grigorev Date: Thu, 12 Mar 2026 13:06:38 +0200 Subject: [PATCH 2/6] Update SKILL.md --- plugins/sentry-skills/skills/security-review/SKILL.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/plugins/sentry-skills/skills/security-review/SKILL.md b/plugins/sentry-skills/skills/security-review/SKILL.md index a12eeb7..1246209 100644 --- a/plugins/sentry-skills/skills/security-review/SKILL.md +++ b/plugins/sentry-skills/skills/security-review/SKILL.md @@ -209,12 +209,15 @@ os.system(f"cmd {user_input}") # Command injection ### Always Flag (Secrets) ``` -password = "hardcoded" # but NEVER leak exact hardcoded secrets to the report! +password = "hardcoded" api_key = "sk-..." AWS_SECRET_ACCESS_KEY = "..." private_key = "-----BEGIN" ``` +> [!NOTE] +> But NEVER leak exact hardcoded secret values to the report! + ### Check Context First (MUST Investigate Before Flagging) ``` # SSRF - ONLY if URL is from user input, NOT from settings/config @@ -263,6 +266,9 @@ random.random() for token # FLAG: Security tokens need secrets module ``` - **Fix**: [How to remediate] +> [!NOTE] +> Ensure "[Vulnerable code snippet]" doesn't contain exact values of hardcoded snippets, they MUST be masked or redacted in the report. + ### Needs Verification #### [VERIFY-001] [Potential Issue] From ec64af27e0cc2f2a68db314b1e66ada27f14915e Mon Sep 17 00:00:00 2001 From: Andrew Grigorev Date: Thu, 12 Mar 2026 13:08:35 +0200 Subject: [PATCH 3/6] Update SKILL.md --- plugins/sentry-skills/skills/security-review/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/sentry-skills/skills/security-review/SKILL.md b/plugins/sentry-skills/skills/security-review/SKILL.md index 1246209..47e1a3c 100644 --- a/plugins/sentry-skills/skills/security-review/SKILL.md +++ b/plugins/sentry-skills/skills/security-review/SKILL.md @@ -267,7 +267,7 @@ random.random() for token # FLAG: Security tokens need secrets module - **Fix**: [How to remediate] > [!NOTE] -> Ensure "[Vulnerable code snippet]" doesn't contain exact values of hardcoded snippets, they MUST be masked or redacted in the report. +> Ensure "[Vulnerable code snippet]" doesn't contain exact values of hardcoded secrets. They MUST be masked or redacted in the report. ### Needs Verification From 3b85ec1c3d7dcb1f124104673eedd23ff86d6581 Mon Sep 17 00:00:00 2001 From: Andrew Grigorev Date: Thu, 12 Mar 2026 13:09:26 +0200 Subject: [PATCH 4/6] Update SKILL.md --- plugins/sentry-skills/skills/security-review/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/sentry-skills/skills/security-review/SKILL.md b/plugins/sentry-skills/skills/security-review/SKILL.md index 47e1a3c..55dd4e8 100644 --- a/plugins/sentry-skills/skills/security-review/SKILL.md +++ b/plugins/sentry-skills/skills/security-review/SKILL.md @@ -209,7 +209,7 @@ os.system(f"cmd {user_input}") # Command injection ### Always Flag (Secrets) ``` -password = "hardcoded" +password = "" api_key = "sk-..." AWS_SECRET_ACCESS_KEY = "..." private_key = "-----BEGIN" From ba40eba259967df148331179d948afe5562cbed5 Mon Sep 17 00:00:00 2001 From: Andrew Grigorev Date: Thu, 12 Mar 2026 13:10:49 +0200 Subject: [PATCH 5/6] Update SKILL.md --- plugins/sentry-skills/skills/security-review/SKILL.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/sentry-skills/skills/security-review/SKILL.md b/plugins/sentry-skills/skills/security-review/SKILL.md index 55dd4e8..6c8840a 100644 --- a/plugins/sentry-skills/skills/security-review/SKILL.md +++ b/plugins/sentry-skills/skills/security-review/SKILL.md @@ -266,9 +266,6 @@ random.random() for token # FLAG: Security tokens need secrets module ``` - **Fix**: [How to remediate] -> [!NOTE] -> Ensure "[Vulnerable code snippet]" doesn't contain exact values of hardcoded secrets. They MUST be masked or redacted in the report. - ### Needs Verification #### [VERIFY-001] [Potential Issue] @@ -278,6 +275,9 @@ random.random() for token # FLAG: Security tokens need secrets module If no vulnerabilities found, state: "No high-confidence vulnerabilities identified." +> [!NOTE] +> Ensure "[Vulnerable code snippet]" doesn't contain exact values of hardcoded secrets. They MUST be masked or redacted in the report. + --- ## Reference Files From 99aa593be1ba96e52aa2cb2250bccf7d63fcee60 Mon Sep 17 00:00:00 2001 From: Andrew Grigorev Date: Thu, 12 Mar 2026 13:13:00 +0200 Subject: [PATCH 6/6] Use alternative markdown fences to properly handle inner code block --- plugins/sentry-skills/skills/security-review/SKILL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/sentry-skills/skills/security-review/SKILL.md b/plugins/sentry-skills/skills/security-review/SKILL.md index 6c8840a..81c2797 100644 --- a/plugins/sentry-skills/skills/security-review/SKILL.md +++ b/plugins/sentry-skills/skills/security-review/SKILL.md @@ -245,7 +245,7 @@ random.random() for token # FLAG: Security tokens need secrets module ## Output Format -```markdown +~~~markdown ## Security Review: [File/Component Name] ### Summary @@ -271,7 +271,7 @@ random.random() for token # FLAG: Security tokens need secrets module #### [VERIFY-001] [Potential Issue] - **Location**: `file.py:456` - **Question**: [What needs to be verified] -``` +~~~ If no vulnerabilities found, state: "No high-confidence vulnerabilities identified."