/security-review reads the diff on the current branch and flags security risks: injection, broken auth, secret exposure, unsafe deserialization, dependency vulnerabilities surfaced in the diff, and similar.

You’re about to open a PR that touches authentication. You want a security-focused pass before reviewers do.

~/code/api  >  /security-review

  Reviewing 3 changed files for security issues…

  HIGH   auth/middleware.go:42
         JWT secret falls back to a hardcoded string when ENV is unset.
         An attacker with the binary can forge valid tokens.

  MED    handlers/upload.go:89
         File extension checked before MIME type. Bypass by renaming
         a .php to .png.

  LOW    go.mod
         golang.org/x/crypto v0.17.0 → v0.18.0 patches CVE-2023-48795
         (Terrapin, SSH prefix truncation). Not in the diff hot path,
         but worth updating.

  3 issues found. Run with --fix to apply safe mechanical fixes.

I reach for it before opening any PR that touches auth, file handling, or external input — it catches the class of mistakes that are obvious in review but easy to miss while writing.