安全修复审查工具 - 验证代码修复是否解决安全漏洞且无回归

fix-review by trailofbits/skills

400 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill fix-review

自动化测试安全

🇨🇳中文介绍

修复审查

通过差异分析验证提交是否解决了安全发现且未引入新缺陷。

使用时机

审查针对安全审计报告的修复分支
验证修复提交是否确实解决了发现的问题
检查特定发现项（TOB-XXX 格式）是否已修复
分析提交范围以发现引入缺陷的模式
将代码变更与审计建议进行交叉比对

不适用时机

初始安全审计（使用 audit-context-building 或 differential-review）
没有特定基线或发现项集的代码审查
没有先前审计的全新开发项目
仅涉及文档的变更

常见错误理由（请勿跳过）

错误理由	为何错误	必需行动
"提交信息说它修复了 TOB-XXX"	信息可能不实；代码才是真相	验证实际的代码变更是否解决了该发现项
"小修复，不可能引入新缺陷"	小变更也可能导致大问题	分析所有变更以查找反模式
"我会检查重要的发现项"	所有发现项都重要	系统地检查每一项发现
"测试通过了"	测试可能未覆盖修复内容	验证修复逻辑，而不仅仅是测试状态
"同一位开发者，他们熟悉代码"	熟悉可能导致盲点

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

输入	是否必需	格式
源提交	是	Git 提交哈希值或引用（修复前的基线）
目标提交	是	一个或多个待分析的提交哈希值
安全报告	否	本地路径、URL 或 Google Drive 链接

状态	含义
FIXED	代码变更直接解决了该发现项
PARTIALLY_FIXED	部分方面已解决，其他方面仍存在
NOT_ADDRESSED	未找到相关变更
CANNOT_DETERMINE	上下文不足，无法验证

阶段 1：输入收集

从用户处收集所需输入：

Source commit:  [hash/ref before fixes]
Target commit:  [hash/ref to analyze]
Report:         [optional: path, URL, or "none"]

如果用户提供多个目标提交，则使用相同的源提交分别处理每个目标提交。

阶段 2：报告检索

当提供安全报告时，根据格式检索：

本地文件（PDF、MD、JSON、HTML）： 使用 Read 工具直接读取文件。Claude 原生支持处理 PDF。

URL： 使用 WebFetch 工具获取网页内容。

失败的 Google Drive URL： 有关使用 gdrive CLI 的 Google Drive 备用逻辑，请参阅 references/report-parsing.md。

阶段 3：发现项提取

解析报告以提取发现项：

Trail of Bits 格式：

查找 "Detailed Findings" 部分
提取匹配模式 TOB-[A-Z]+-[0-9]+ 的发现项
捕获：ID、标题、严重性、描述、受影响文件

编号的发现项（Finding 1, Finding 2）
基于严重性的部分（Critical, High, Medium, Low）
包含 findings 数组的 JSON

详细的解析策略请参阅 references/report-parsing.md。

阶段 4：提交分析

对于每个目标提交，分析提交范围：

# 获取从源提交到目标提交的提交列表
git log <source>..<target> --oneline

# 获取完整差异
git diff <source>..<target>

# 获取变更的文件
git diff <source>..<target> --name-only

对于范围内的每个提交：

检查差异以查找引入缺陷的模式
检查是否存在安全反模式（参见 references/bug-detection.md）
将变更映射到相关的发现项

阶段 5：发现项验证

对于报告中的每个发现项：

识别相关提交 - 通过以下方式匹配：
- 发现项中提到的文件路径
- 发现项描述中的函数/变量名
- 提交信息中引用的发现项 ID
验证修复 - 检查：
- 根本原因是否得到解决（不仅仅是症状）
- 修复是否遵循报告的建议
- 是否引入了新的漏洞
分配状态 - 基于证据：
- FIXED：明确的代码变更解决了该发现项
- PARTIALLY_FIXED：部分方面已修复，其他方面仍存在
- NOT_ADDRESSED：无相关变更
- CANNOT_DETERMINE：需要更多上下文
记录证据 - 对于每个发现项：
- 解决该问题的提交哈希值
- 具体的文件和行变更
- 修复如何解决根本原因

详细的匹配策略请参阅 references/finding-matching.md。

阶段 6：输出生成

生成两个输出：

1. 报告文件 (FIX_REVIEW_REPORT.md):

# 修复审查报告

**源提交:** <commit>
**目标提交:** <commit>
**报告:** <path or "none">
**日期:** <date>

## 执行摘要

[简要概述：审查了 X 个发现项，修复了 Y 个，存在 Z 个问题]

## 发现项状态

| ID | 标题 | 严重性 | 状态 | 证据 |
|----|-------|----------|--------|----------|
| TOB-XXX-1 | 发现项标题 | High | FIXED | abc123 |
| TOB-XXX-2 | 另一个发现项 | Medium | NOT_ADDRESSED | - |

## 缺陷引入问题

[在变更中检测到的任何潜在缺陷或回归问题]

## 按提交分析

### 提交 abc123: "修复 withdraw() 中的重入问题"

**变更的文件:** contracts/Vault.sol
**解决的发现项:** TOB-XXX-1
**问题:** 无

[详细分析]

## 建议

[任何需要的后续行动]

2. 对话摘要：

在对话中提供简洁的摘要：

发现项总数：X
已修复：Y
未解决：Z
问题：[列出任何缺陷引入风险]

分析提交以查找安全反模式。需要关注的关键模式：

访问控制弱化（修饰符被移除）
验证移除（require/assert 被删除）
错误处理减少（try/catch 被移除）
外部调用顺序改变（状态在调用之后）
整数运算变更（SafeMath 被移除）
加密弱化

全面的检测模式和示例请参阅 references/bug-detection.md。

与其他技能的集成

differential-review: 用于变更的初始安全审查（审计前）

issue-writer: 用于将发现项格式化为正式的审计报告

audit-context-building: 在分析复杂修复时用于获取深度上下文

有效审查的技巧

验证实际的代码变更，而不仅仅是提交信息
检查修复是否解决了根本原因，而不仅仅是症状
查找相邻代码中意外的副作用
交叉引用可能相互作用的多个发现项
为每个状态分配记录证据

将提交信息作为修复的证据
因为发现项看起来次要而跳过
假设测试通过就意味着修复正确
忽略"修复"范围之外的变更
在没有明确证据的情况下标记为 FIXED

详细指南请查阅：

references/finding-matching.md - 将提交与发现项匹配的策略
references/bug-detection.md - 全面的反模式检测
references/report-parsing.md - 解析不同报告格式，Google Drive 备用方案

🇺🇸English

Fix Review

Differential analysis to verify commits address security findings without introducing bugs.

When to Use

Reviewing fix branches against security audit reports
Validating that remediation commits actually address findings
Checking if specific findings (TOB-XXX format) have been fixed
Analyzing commit ranges for bug introduction patterns
Cross-referencing code changes with audit recommendations

When NOT to Use

Initial security audits (use audit-context-building or differential-review)
Code review without a specific baseline or finding set
Greenfield development with no prior audit
Documentation-only changes

Rationalizations (Do Not Skip)

Rationalization	Why It's Wrong	Required Action
"The commit message says it fixes TOB-XXX"	Messages lie; code tells truth	Verify the actual code change addresses the finding
"Small fix, no new bugs possible"	Small changes cause big bugs	Analyze all changes for anti-patterns
"I'll check the important findings"	All findings matter	Systematically check every finding
"The tests pass"	Tests may not cover the fix	Verify fix logic, not just test status
"Same developer, they know the code"	Familiarity breeds blind spots	Fresh analysis of every change

Quick Reference

Input Requirements

Input	Required	Format
Source commit	Yes	Git commit hash or ref (baseline before fixes)
Target commit(s)	Yes	One or more commit hashes to analyze
Security report	No	Local path, URL, or Google Drive link

Finding Status Values

Status	Meaning
FIXED	Code change directly addresses the finding
PARTIALLY_FIXED	Some aspects addressed, others remain
NOT_ADDRESSED	No relevant changes found
CANNOT_DETERMINE	Insufficient context to verify

Workflow

Phase 1: Input Gathering

Collect required inputs from user:

Source commit:  [hash/ref before fixes]
Target commit:  [hash/ref to analyze]
Report:         [optional: path, URL, or "none"]

If user provides multiple target commits, process each separately with the same source.

Phase 2: Report Retrieval

When a security report is provided, retrieve it based on format:

Local file (PDF, MD, JSON, HTML): Read the file directly using the Read tool. Claude processes PDFs natively.

URL: Fetch web content using the WebFetch tool.

Google Drive URL that fails: See references/report-parsing.md for Google Drive fallback logic using gdrive CLI.

Phase 3: Finding Extraction

Parse the report to extract findings:

Trail of Bits format:

Look for "Detailed Findings" section
Extract findings matching pattern: TOB-[A-Z]+-[0-9]+
Capture: ID, title, severity, description, affected files

Other formats:

Numbered findings (Finding 1, Finding 2)
Severity-based sections (Critical, High, Medium, Low)
JSON with findings array

See references/report-parsing.md for detailed parsing strategies.

Phase 4: Commit Analysis

For each target commit, analyze the commit range:

# Get commit list from source to target
git log <source>..<target> --oneline

# Get full diff
git diff <source>..<target>

# Get changed files
git diff <source>..<target> --name-only

For each commit in the range:

Examine the diff for bug introduction patterns
Check for security anti-patterns (see references/bug-detection.md)
Map changes to relevant findings

Phase 5: Finding Verification

For each finding in the report:

Identify relevant commits - Match by:
- File paths mentioned in finding
- Function/variable names in finding description
- Commit messages referencing the finding ID
Verify the fix - Check that:
- The root cause is addressed (not just symptoms)
- The fix follows the report's recommendation
- No new vulnerabilities are introduced
Assign status - Based on evidence:
- FIXED: Clear code change addresses the finding
- PARTIALLY_FIXED: Some aspects fixed, others remain
- NOT_ADDRESSED: No relevant changes
- CANNOT_DETERMINE: Need more context
Document evidence - For each finding:
- Commit hash(es) that address it
- Specific file and line changes
- How the fix addresses the root cause

See references/finding-matching.md for detailed matching strategies.

Phase 6: Output Generation

Generate two outputs:

1. Report file (FIX_REVIEW_REPORT.md):

# Fix Review Report

**Source:** <commit>
**Target:** <commit>
**Report:** <path or "none">
**Date:** <date>

## Executive Summary

[Brief overview: X findings reviewed, Y fixed, Z concerns]

## Finding Status

| ID | Title | Severity | Status | Evidence |
|----|-------|----------|--------|----------|
| TOB-XXX-1 | Finding title | High | FIXED | abc123 |
| TOB-XXX-2 | Another finding | Medium | NOT_ADDRESSED | - |

## Bug Introduction Concerns

[Any potential bugs or regressions detected in the changes]

## Per-Commit Analysis

### Commit abc123: "Fix reentrancy in withdraw()"

**Files changed:** contracts/Vault.sol
**Findings addressed:** TOB-XXX-1
**Concerns:** None

[Detailed analysis]

## Recommendations

[Any follow-up actions needed]

2. Conversation summary:

Provide a concise summary in the conversation:

Total findings: X
Fixed: Y
Not addressed: Z
Concerns: [list any bug introduction risks]

Bug Detection

Analyze commits for security anti-patterns. Key patterns to watch:

Access control weakening (modifiers removed)
Validation removal (require/assert deleted)
Error handling reduction (try/catch removed)
External call reordering (state after call)
Integer operation changes (SafeMath removed)
Cryptographic weakening

See references/bug-detection.md for comprehensive detection patterns and examples.

Integration with Other Skills

differential-review: For initial security review of changes (before audit)

issue-writer: To format findings into formal audit reports

audit-context-building: For deep context when analyzing complex fixes

Tips for Effective Reviews

Do:

Verify the actual code change, not just commit messages
Check that fixes address root causes, not symptoms
Look for unintended side effects in adjacent code
Cross-reference multiple findings that may interact
Document evidence for every status assignment

Don't:

Trust commit messages as proof of fix
Skip findings because they seem minor
Assume passing tests mean correct fixes
Ignore changes outside the "fix" scope
Mark FIXED without clear evidence

Reference Files

For detailed guidance, consult:

references/finding-matching.md - Strategies for matching commits to findings
references/bug-detection.md - Comprehensive anti-pattern detection
references/report-parsing.md - Parsing different report formats, Google Drive fallback

Weekly Installs

400

Repository

trailofbits/skills

GitHub Stars

3.9K

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykWarn

Installed on

claude-code361

opencode313

gemini-cli299

codex286

cursor281

github-copilot246

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

22,200 周安装