Security Reviewer Formats
Standardize vulnerability-scan progress and final report blocks when orchestrating agent skill security assessments in audit, diff, or plan mode.
Overview
security-reviewer-formats is an agent skill most often used in Ship (also Build agent-tooling, Operate iterate) that defines Scan Status and Scan Completion report templates for vulnerability scan orchestrators.
Install
npx skills add https://github.com/microsoft/hve-core --skill security-reviewer-formatsWhat is this skill?
- Scan Status template: mode (audit, diff, plan), phase name, and 1–2 sentence user-facing status
- Audit/diff Scan Completion: report path, severity buckets (critical/high/medium/low), verification tallies
- Plan mode completion: risks, cautions, and covered-control summary without live verification counts
- Embedded caution that AI findings require qualified validation—not a SAST/DAST/pen-test replacement
- Three scanning modes: audit, diff, and plan
- Four severity buckets in completion output: critical, high, medium, low
Adoption & trust: 24 installs on skills.sh; 1.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
Who is it for?
Builders wiring HVE-style skill security pipelines who need copy-paste completion formats for audit, diff, and plan runs.
Skip if: Teams expecting turnkey SAST/DAST replacement or scanning logic without a separate security-reviewer orchestration skill.
When should I use this skill?
Orchestrating vulnerability scans and needing standardized Scan Status or Scan Completion user messages.
What do I get? / Deliverables
Orchestrators emit predictable progress and completion blocks with aligned severity and verification fields, ready to paste into reports or catalog security panels.
- Scan Status block for in-progress phases
- Scan Completion block with report path and mode-specific metrics
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security scan reporting is the canonical ship-phase artifact even though orchestration spans setup through reporting. Completion templates encode severity counts, verification stats, and pass/fail summaries—the core security review deliverable for solo builders auditing skill packages.
Where it fits
Paste Scan Completion after a catalog skill audit to show critical/high counts before publishing.
Emit Scan Status during Profiling and Assessing so the agent UI stays readable mid-run.
Re-run diff mode and reuse the same completion block to compare verification deltas after patches.
How it compares
Format contracts for scan output—not the vulnerability rules engine or skills.sh ingest itself.
Common Questions / FAQ
Who is security-reviewer-formats for?
Solo builders and small teams orchestrating agent skill security assessments who need consistent user-facing scan status and completion text.
When should I use security-reviewer-formats?
During ship security reviews of skill repos, when diffing skill changes before release, in plan-mode risk previews, and when iterating operate workflows that re-run assessments after fixes.
Is security-reviewer-formats safe to install?
It is documentation for report shapes only; review the Security Audits panel on this Prism page and validate any real scan findings with qualified professionals.
SKILL.md
READMESKILL.md - Security Reviewer Formats
# Completion Formats ## Scan Status Format Brief status update shown to the user during orchestration. ```text **Vulnerability Scan: <PHASE>** **Mode:** <MODE> <STATUS_MESSAGE> ``` Where: * MODE: Scanning mode (`audit`, `diff`, or `plan`). * PHASE: Current phase name (Setup, Profiling, Assessing, Verifying, Reporting, Complete). * STATUS_MESSAGE: One to two sentence status update. ## Scan Completion Format Final confirmation after the report is written. ### Audit and Diff Modes ```text Report saved → <REPORT_FILE_PATH> **Mode:** <MODE> **Skills assessed:** <SKILLS_ASSESSED> **Severity:** <CRITICAL_COUNT> critical, <HIGH_COUNT> high, <MEDIUM_COUNT> medium, <LOW_COUNT> low **Verification:** <CONFIRMED_COUNT> confirmed, <DISPROVED_COUNT> disproved, <DOWNGRADED_COUNT> downgraded **Summary:** <PASS_COUNT> passed, <FAIL_COUNT> failed, <PARTIAL_COUNT> partial, <NA_COUNT> not assessed ``` > [!CAUTION] > AI-generated findings require validation by qualified security professionals. This assessment does not replace SAST, DAST, SCA, or penetration testing. ### Plan Mode ```text Report saved → <REPORT_FILE_PATH> **Mode:** plan **Skills assessed:** <SKILLS_ASSESSED> **Severity:** <CRITICAL_COUNT> critical, <HIGH_COUNT> high, <MEDIUM_COUNT> medium, <LOW_COUNT> low **Summary:** <RISK_COUNT> risks, <CAUTION_COUNT> cautions, <COVERED_COUNT> covered, <NA_COUNT> not applicable ``` > [!CAUTION] > AI-generated findings require validation by qualified security professionals. This assessment does not replace SAST, DAST, SCA, or penetration testing. Where: * REPORT_FILE_PATH: Path to the written report file. * MODE: Scanning mode (`audit` or `diff`). * SKILLS_ASSESSED: Comma-separated list of skill names. * CRITICAL_COUNT: Findings rated critical severity. * HIGH_COUNT: Findings rated high severity. * MEDIUM_COUNT: Findings rated medium severity. * LOW_COUNT: Findings rated low severity. * CONFIRMED_COUNT: Findings confirmed by adversarial verification. * DISPROVED_COUNT: Findings disproved by adversarial verification. * DOWNGRADED_COUNT: Findings with reduced severity after verification. * PASS_COUNT: Findings that passed assessment. * FAIL_COUNT: Findings that failed assessment. * PARTIAL_COUNT: Findings with partial compliance. * NA_COUNT: Findings that could not be fully assessed. * RISK_COUNT: Plan elements with theoretical vulnerability risk. * CAUTION_COUNT: Plan elements with potential concerns depending on implementation. * COVERED_COUNT: Plan elements already mitigated by existing codebase controls. ## Minimal Profile Stub Format Used when `targetSkill` bypasses the Codebase Profiler. ```markdown ## Codebase Profile **Repository:** <REPO_NAME> **Mode:** <MODE> **Primary Languages:** Unknown (profiling skipped) **Frameworks:** Unknown (profiling skipped) ### Applicable Skills - <TARGET_SKILL> ``` --- *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.* --- title: Finding Formats description: Finding Serialization Format and Verified Findings Collection Format for inter-subagent data exchange --- # Finding Formats ## Finding Serialization Format Each finding passed to the `Finding Deep Verifier` is a markdown block with these fields: ```text - **ID:** <FINDING_ID> - **Title:** <FINDING_TITLE> - **Status:** <FINDING_STATUS> - **Severity:** <FINDING_SEVERITY> - **Location:** <FILE_LOCATION> - **Finding:** <FINDING_DESCRIPTION> - **Recommendation:** <RECOMMENDATION> ``` ## Verified Findings Collection Format The merged collection of verified findings passed to `Report Generator` uses the following structure: * Items are grouped by skill name. * UNCHANGED items (PASS and NOT_ASSESSED) use the Finding Serialization Format with an added `- **Verdict:** UNCHANGED` field. * Verified