home / skills / getsentry / warden / find-bugs

find-bugs skill

safe

/.agents/skills/find-bugs

This skill analyzes diffs on the current branch to uncover bugs, security issues, and quality problems.

npx playbooks add skill getsentry/warden --skill find-bugs

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

2.8 KB

---
name: find-bugs
description: Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
---

# Find Bugs

Review changes on this branch for bugs, security vulnerabilities, and code quality issues.

## Phase 1: Complete Input Gathering

1. Get the FULL diff: `git diff $(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')...HEAD`
2. If output is truncated, read each changed file individually until you have seen every changed line
3. List all files modified in this branch before proceeding

## Phase 2: Attack Surface Mapping

For each changed file, identify and list:

* All user inputs (request params, headers, body, URL components)
* All database queries
* All authentication/authorization checks
* All session/state operations
* All external calls
* All cryptographic operations

## Phase 3: Security Checklist (check EVERY item for EVERY file)

* [ ] **Injection**: SQL, command, template, header injection
* [ ] **XSS**: All outputs in templates properly escaped?
* [ ] **Authentication**: Auth checks on all protected operations?
* [ ] **Authorization/IDOR**: Access control verified, not just auth?
* [ ] **CSRF**: State-changing operations protected?
* [ ] **Race conditions**: TOCTOU in any read-then-write patterns?
* [ ] **Session**: Fixation, expiration, secure flags?
* [ ] **Cryptography**: Secure random, proper algorithms, no secrets in logs?
* [ ] **Information disclosure**: Error messages, logs, timing attacks?
* [ ] **DoS**: Unbounded operations, missing rate limits, resource exhaustion?
* [ ] **Business logic**: Edge cases, state machine violations, numeric overflow?

## Phase 4: Verification

For each potential issue:

* Check if it's already handled elsewhere in the changed code
* Search for existing tests covering the scenario
* Read surrounding context to verify the issue is real

## Phase 5: Pre-Conclusion Audit

Before finalizing, you MUST:

1. List every file you reviewed and confirm you read it completely
2. List every checklist item and note whether you found issues or confirmed it's clean
3. List any areas you could NOT fully verify and why
4. Only then provide your final findings

## Output Format

**Prioritize**: security vulnerabilities > bugs > code quality

**Skip**: stylistic/formatting issues

For each issue:

* **File:Line** - Brief description
* **Severity**: Critical/High/Medium/Low
* **Problem**: What's wrong
* **Evidence**: Why this is real (not already fixed, no existing test, etc.)
* **Fix**: Concrete suggestion
* **References**: OWASP, RFCs, or other standards if applicable

If you find nothing significant, say so - don't invent issues.

Do not make changes - just report findings. I'll decide what to address.

Overview

This skill reviews changes on the current Git branch to find bugs, security vulnerabilities, and code-quality regressions. It targets TypeScript projects and produces prioritized, actionable findings without making code changes. The workflow ensures complete coverage of diffs, attack-surface mapping, and per-file verification before delivering final results.

How this skill works

The skill reads the full branch diff and inspects each changed file line-by-line. For every file it maps user inputs, DB queries, auth checks, external calls, and crypto usage, then runs a comprehensive security and correctness checklist. For each potential issue it verifies context, searches for tests or mitigations, and produces prioritized findings with concrete fixes and references.

When to use it

Before merging a feature or hotfix branch into the mainline
When you need a security-focused code review of recent changes
To audit authentication, authorization, and input handling in new code
When asked to triage bugs introduced on the current branch
Prior to release or deployment for a last-minute safety check

Best practices

Always provide the full diff; inspect each changed file until no truncation remains
Include relevant runtime context (env vars, DB schema snippets, auth flows) when available
Prioritize security and correctness issues over stylistic feedback
Confirm each finding by reading surrounding lines and searching for tests or mitigations
Document any areas that could not be fully verified (missing files, secrets, or env-specific code)

Example use cases

Reviewing a TypeScript feature branch that touches authentication and DB access
Auditing recent commits that add third-party API calls or new dependencies
Verifying fixes for reported bugs to ensure no related security regressions
Performing a pre-release security sweep focused on injection, auth, and crypto
Triaging a pull request that changes session handling or token management

FAQ

Do you modify code or create patches?

No. The skill only inspects changes and reports findings with concrete fix suggestions; it does not change files.

How exhaustive is the security checklist?

The checklist covers common and critical categories (injection, XSS, auth, CSRF, race conditions, crypto, DoS, information disclosure, and business logic). Each item is checked for every changed file.