Overview
The Security Gate workflow scans code changes for common vulnerability patterns before they reach main, focusing on attack vectors frequent in frontend and full-stack applications.
What It Scans
| Category | Examples |
|---|---|
| XSS vectors | dangerouslySetInnerHTML, unescaped user input in templates |
| Environment leaks | Secrets in client bundles, .env files in version control |
| SSRF | Unvalidated URLs in server-side fetch calls, open redirects |
| Dependencies | Known CVEs in installed packages, outdated security patches |
Quick Start
Install
npx skills add mclaude95/eq-foundry -s eq-review-securityRun a standalone scan
/eq-review-securityThis flags findings for your review but never auto-fixes. HIGH-severity findings always surface for human judgment.
Run as part of the full pipeline
In the Engineering Pipeline, security scanning runs automatically as one of three parallel review agents when you invoke /eq-review, alongside patterns and quality checks.
Data Flow Tracing
The security review traces data flow, not just patterns. When user input enters through a form handler, the scanner follows that value through processing functions to verify sanitization before it reaches a template or database query.
When to Run
- Every PR that touches authentication, authorization, or data handling
- Every PR that adds or modifies API endpoints
- Every PR that changes environment variables or secrets configuration
- Before merge as a mandatory gate for production-bound code
Integration with eq-review
When run via /eq-review, security findings go through a confidence x impact filter:
| Severity | Confidence threshold |
|---|---|
| Critical | 50%: surface even uncertain findings |
| High | 70% |
| Medium | 80% |
| Low | 90%: only high-confidence minor issues |
This prevents alert fatigue while ensuring every critical issue surfaces.