feat: add security-review skill for AI-powered codebase vulnerability scanning (#1211)

* feat: add security-review skill for AI-powered codebase vulnerability scanning

* chore: regenerate README tables

* fix: address Copilot review comments on reference files

skills/security-review/references/report-format.md

@@ -0,0 +1,194 @@
+# Security Report Format
+
+Use this template for all `/security-review` output. Generated during Step 7.
+
+---
+
+## Report Structure
+
+### Header
+```
+╔══════════════════════════════════════════════════════════╗
+║           🔐 SECURITY REVIEW REPORT                     ║
+║           Generated by: /security-review skill          ║
+╚══════════════════════════════════════════════════════════╝
+
+Project: <project name or path>
+Scan Date: <today's date>
+Scope: <files/directories scanned>
+Languages Detected: <list>
+Frameworks Detected: <list>
+```
+
+---
+
+### Executive Summary Table
+
+Always show this first — at a glance overview:
+
+```
+┌────────────────────────────────────────────────┐
+│           FINDINGS SUMMARY                     │
+├──────────────┬──────────────────────────────── ┤
+│ 🔴 CRITICAL  │  <n> findings                  │
+│ 🟠 HIGH      │  <n> findings                  │
+│ 🟡 MEDIUM    │  <n> findings                  │
+│ 🔵 LOW       │  <n> findings                  │
+│ ⚪ INFO      │  <n> findings                  │
+├──────────────┼─────────────────────────────────┤
+│ TOTAL        │  <n> findings                  │
+└──────────────┴─────────────────────────────────┘
+
+Dependency Audit: <n> vulnerable packages found
+Secrets Scan: <n> exposed credentials found
+```
+
+---
+
+### Findings (Grouped by Category)
+
+For EACH finding, use this card format:
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+[SEVERITY EMOJI] [SEVERITY] — [VULNERABILITY TYPE]
+Confidence: HIGH / MEDIUM / LOW
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+📍 Location:  src/routes/users.js, Line 47
+
+🔍 Vulnerable Code:
+  const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
+  db.execute(query);
+
+⚠️  Risk:
+  An attacker can manipulate the `id` parameter to execute arbitrary
+  SQL commands, potentially dumping the entire database, bypassing
+  authentication, or deleting data.
+
+  Example attack: GET /users/1 OR 1=1--
+
+✅ Recommended Fix:
+  Use parameterized queries:
+
+  const query = 'SELECT * FROM users WHERE id = ?';
+  db.execute(query, [req.params.id]);
+
+📚 Reference: OWASP A03:2021 – Injection
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+```
+
+---
+
+### Dependency Audit Section
+
+```
+📦 DEPENDENCY AUDIT
+══════════════════
+
+🟠 HIGH — lodash@4.17.20 (package.json)
+  CVE-2021-23337: Prototype pollution via zipObjectDeep()
+  Fix: npm install lodash@4.17.21
+
+🟡 MEDIUM — axios@0.27.2 (package.json)
+  CVE-2023-45857: CSRF via withCredentials
+  Fix: npm install axios@1.6.0
+
+⚪ INFO — express@4.18.2
+  No known CVEs. Current version is 4.19.2 — consider updating.
+```
+
+---
+
+### Secrets Scan Section
+
+```
+🔑 SECRETS & EXPOSURE SCAN
+═══════════════════════════
+
+🔴 CRITICAL — Hardcoded API Key
+  File: src/config/database.js, Line 12
+  
+  Found: STRIPE_SECRET_KEY = "sk_live_FAKE_KEY_..."
+  
+  Action Required:
+  1. Rotate this key IMMEDIATELY at https://dashboard.stripe.com
+  2. Remove from source code
+  3. Add to .env file and load via process.env.STRIPE_SECRET_KEY
+  4. Add .env to .gitignore
+  5. Audit git history — key may be in previous commits:
+     git log --all -p | grep "sk_live_"
+     Use git-filter-repo or BFG to purge from history if found.
+```
+
+---
+
+### Patch Proposals Section
+
+Only include for CRITICAL and HIGH findings:
+
+````
+🛠️  PATCH PROPOSALS
+══════════════════
+⚠️  REVIEW EACH PATCH BEFORE APPLYING — Nothing has been changed yet.
+
+─────────────────────────────────────────────
+Patch 1/3: SQL Injection in src/routes/users.js
+─────────────────────────────────────────────
+
+BEFORE (vulnerable):
+```js
+// Line 47
+const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
+db.execute(query);
+```
+
+AFTER (fixed):
+```js
+// Line 47 — Fixed: Use parameterized query to prevent SQL injection
+const query = 'SELECT * FROM users WHERE id = ?';
+db.execute(query, [req.params.id]);
+```
+
+Apply this patch? (Review first — AI-generated patches may need adjustment)
+─────────────────────────────────────────────
+````
+
+---
+
+### Footer
+
+```
+══════════════════════════════════════════════════════════
+
+📋 SCAN COVERAGE
+  Files scanned:     <n>
+  Lines analyzed:    <n>
+  Scan duration:     <time>
+
+⚡ NEXT STEPS
+  1. Address all CRITICAL findings immediately
+  2. Schedule HIGH findings for current sprint
+  3. Add MEDIUM/LOW to your security backlog
+  4. Set up automated re-scanning in CI/CD pipelines
+
+💡 NOTE: This is a static analysis scan. It does not execute your
+   application and cannot detect all runtime vulnerabilities. Pair
+   with dynamic testing (DAST) for comprehensive coverage.
+
+══════════════════════════════════════════════════════════
+```
+
+---
+
+## Confidence Ratings Guide
+
+Apply to every finding:
+
+| Confidence | When to Use |
+|------------|-------------|
+| **HIGH** | Vulnerability is unambiguous. Sanitization is clearly absent. Exploitable as-is. |
+| **MEDIUM** | Vulnerability likely exists but depends on runtime context, config, or call path the agent couldn't fully trace. |
+| **LOW** | Suspicious pattern detected but could be a false positive. Flag for human review. |
+
+Never omit confidence — it helps developers prioritize their review effort.