Parent Issue

Part of #143 — 4 Code review agents before PR is opened

Overview

Create a specialized pre-PR code review agent that analyzes branch diffs only for security vulnerabilities. This agent identifies injection flaws, authentication/authorization gaps, secrets exposure, insecure deserialization, and OWASP patterns before the developer opens a pull request.

User Story

As a developer generating large volumes of code with HVE, I want a focused security review of my branch changes so that I catch vulnerabilities early — before involving reviewers in a PR — when context is fresh and fixes are small.

Requirements

Core Behavior

1. The agent MUST only analyze the branch diff (changed files and lines), not the entire codebase.
2. Issues are numbered and ordered by severity (Critical, High, Medium, Low).
3. Each issue includes the file path, line numbers, the original code snippet, and a proposed fix.

Review Focus Areas

• Injection vulnerabilities (SQL, command, LDAP, XSS)
• Authentication and authorization gaps
• Secrets, credentials, or API keys in code
• Insecure deserialization
• Sensitive data exposure (logging PII, unmasked output)
• Missing input validation and sanitization
• Insecure cryptographic practices (weak algorithms, hardcoded keys)
• Path traversal and file inclusion risks
• CSRF, SSRF, and open redirect vulnerabilities
• OWASP Top 10 patterns
• OWASP LLM Top 10 (for AI/ML code)
• OWASP ML Security Top 10 (for ML systems)

Output Format

For each issue identified, provide feedback in this format:

## Issue {number}: [Brief descriptive title]

**Priority**: Critical/High/Medium/Low
**Category**: Injection | Auth | Secrets | Crypto | Data Exposure | Input Validation
**File**: `path/to/file`
**Lines**: 45-52

### Problem
[Specific description of the security vulnerability and its risk]

### Current Code
[Exact code from the diff that has the issue]

### Suggested Fix
[Exact replacement code that remediates the vulnerability]

Deliverables

• Agent definition file (.agent.md) for the security code review agent
• Agent placed in the code-reviewer collection directory
• Agent follows HVE Core conventions and prompt-builder standards
• Output format matches the numbered, severity-ordered issue template above
• Agent scoped to branch diff only — does not review unchanged code

Acceptance Criteria

• Agent produces numbered, severity-ordered security findings
• Each finding includes file path, line numbers, original code, and proposed fix
• Agent operates exclusively on branch diff content
• Agent covers OWASP Top 10, LLM Top 10, and ML Security Top 10 patterns
• Agent works in GitHub Copilot (.github/agents/)
• No breaking changes to existing agents or workflows

Related Issues

• feat(agents): 4 Code review agents before PR is opened #143 — Parent issue: 4 Code review agents before PR is opened
• feat(agents): Engineering Agents Integration #63 — Engineering Agents Integration epic
• feat(agents): Integrate Code Reviewer Agent for Security Validation During Development #93 — Code Reviewer Agent (closed, broader scope)
• feat: Reorganize agents, instructions, prompts, and skills into collection-based subdirectories #643 — Collection-based directory reorganization