Vibe Index
🎯

bmad-security-review

🎯Skill

from bacoco/bmad-skills

VibeIndex|
What it does

Conducts comprehensive security reviews, identifying vulnerabilities, threat models, and generating prioritized remediation plans for system hardening.

πŸ“¦

Part of

bacoco/bmad-skills(12 items)

bmad-security-review

Installation

npxRun with npx
npx bmad-skills --global
npxRun with npx
npx bmad-skills
npxRun with npx
npx bmad-skills --path /your/custom/path
Install ScriptRun install script
curl -fsSL https://raw.githubusercontent.com/bacoco/bmad-skills/main/scripts/install-to-home.sh | bash
git cloneClone repository
git clone https://github.com/bacoco/bmad-skills.git

+ 11 more commands

πŸ“– Extracted from docs: bacoco/bmad-skills
Need more details? View full documentation on GitHub β†’
3Installs
-
AddedFeb 4, 2026
View on GitHubBack to Skills

Skill Details

SKILL.md

Hardens designs and implementations with structured security reviews.

Overview

# BMAD Security Review Skill

When to Invoke

Activate this skill whenever the user:

  • Requests a security, privacy, or compliance review of a feature or system.
  • Mentions threat modeling, secure design, risk assessment, or penetration testing.
  • Asks for guidance on hardening infrastructure, APIs, data flows, or deployment pipelines.
  • Needs a remediation backlog prior to launch or certification.
  • Receives external audit findings that must be triaged and addressed.

Do not invoke when the user only needs implementation help with security storiesβ€”route those to bmad-development-execution once the remediation plan exists.

Mission

Protect the product by exposing security risks early, prioritizing fixes, and embedding mitigations into the delivery plan. Deliver artifacts that downstream skills and teams can execute without ambiguity.

Inputs Required

  • Architecture decisions, diagrams, or code references (docs/architecture.md, repositories, infrastructure manifests).
  • Current product requirements, especially data handling and auth flows.
  • Any existing penetration test reports, compliance requirements, or known incidents.
  • Deployment environment details (cloud provider, runtimes, integrations).

If critical context is missing, schedule discovery steps in WORKFLOW.md before producing findings.

Outputs

  • Threat model covering data flows, trust boundaries, STRIDE analysis, and mitigations using templates in assets/.
  • Security gap assessment summarizing findings by severity with clear owners and due dates.
  • Remediation backlog with prioritized user stories and acceptance criteria ready for bmad-story-planning.
  • Optional compliance checklists (SOC2, HIPAA, GDPR) when requested.

Process

  1. Confirm prerequisites are satisfied (architecture + test strategy). Request missing artifacts.
  2. Map system boundaries and data classifications. Document entry points and critical assets.
  3. Run threat modeling workshops: enumerate threats via STRIDE/LINDDUN and rate likelihood Γ— impact.
  4. Review code, dependencies, and infrastructure for known vulnerabilities or misconfigurations.
  5. Summarize findings with severity, evidence, and references to assets or standards violated.
  6. Translate mitigations into actionable backlog items. Align with release timelines.
  7. Provide launch go/no-go recommendation and residual risk statement.

Quality Gates

  • No critical/high risks without documented mitigation and owner.
  • Threat model reviewed against latest architecture diagram.
  • Remediation backlog linked to acceptance criteria consumable by dev/test skills.
  • Compliance requirements traced to controls or follow-up activities.

Error Handling

  • If findings rely on missing context, pause and obtain evidence before finalizing reports.
  • Escalate systemic issues (e.g., absence of IAM, encryption gaps) to product leadership via orchestrator.
  • Document assumptions; flag when runtime verification (DAST/SAST) is required beyond conversational review.

More from this repository10

🎯
bmad-ux-design🎯Skill

Designs comprehensive user experiences by creating detailed wireframes, user flows, and design systems aligned with product requirements.

🎯
bmad-product-planning🎯Skill

Generates comprehensive product requirement documents (PRDs), breaks down features into epics, and creates structured roadmaps for product development.

🎯
core-skill-creation🎯Skill

Guides developers through creating specialized Claude skills by providing comprehensive workflows, best practices, and validation processes for extending Claude's capabilities.

🎯
bmad-development-execution🎯Skill

Implements software stories by writing code, creating tests, and generating implementation documentation with traceability and quality discipline.

🎯
bmad-observability-readiness🎯Skill

Establishes comprehensive observability foundations by designing instrumentation, metrics, logging, and alerting strategies for system performance and reliability.

🎯
openspec-change-proposal🎯Skill

Generates lightweight, concise proposals and task outlines for small code changes and bug fixes with minimal overhead.

🎯
main-workflow-router🎯Skill

Routes and tracks project workflows across OpenSpec (L0-1) and BMAD (L2-4) phases, intelligently guiding users through development stages based on project complexity and intent.

🎯
bmad-discovery-research🎯Skill

Brainstorms and researches project ideas by transforming vague concepts into structured discovery briefs with clear goals, constraints, and opportunities.

🎯
bmad-story-planning🎯Skill

Breaks down product epics into granular, developer-ready user stories with detailed acceptance criteria and task dependencies.

🎯
bmad-test-strategy🎯Skill

Generates comprehensive test strategies, ATDD scenarios, and quality checklists to ensure software meets defined standards and mitigates risks.