bmad-security-review

Original：🇺🇸 English

Translated

Hardens designs and implementations with structured security reviews.

1installs

Sourcebacoco/bmad-skills

Added on2026-02-25

NPX Install

npx skill4agent add bacoco/bmad-skills bmad-security-review

SKILL.md Content

View Translation Comparison →

BMAD Security Review Skill

When to Invoke

Activate this skill whenever the user:

Requests a security, privacy, or compliance review of a feature or system.
Mentions threat modeling, secure design, risk assessment, or penetration testing.
Asks for guidance on hardening infrastructure, APIs, data flows, or deployment pipelines.
Needs a remediation backlog prior to launch or certification.
Receives external audit findings that must be triaged and addressed.

Do not invoke when the user only needs implementation help with security stories—route those to

bmad-development-execution

once the remediation plan exists.

Mission

Protect the product by exposing security risks early, prioritizing fixes, and embedding mitigations into the delivery plan. Deliver artifacts that downstream skills and teams can execute without ambiguity.

Inputs Required

Architecture decisions, diagrams, or code references (
```
docs/architecture.md
```
, repositories, infrastructure manifests).
Current product requirements, especially data handling and auth flows.
Any existing penetration test reports, compliance requirements, or known incidents.
Deployment environment details (cloud provider, runtimes, integrations).

If critical context is missing, schedule discovery steps in

WORKFLOW.md

before producing findings.

Outputs

Threat model covering data flows, trust boundaries, STRIDE analysis, and mitigations using templates in
```
assets/
```
.
Security gap assessment summarizing findings by severity with clear owners and due dates.
Remediation backlog with prioritized user stories and acceptance criteria ready for
```
bmad-story-planning
```
.
Optional compliance checklists (SOC2, HIPAA, GDPR) when requested.

Process

Confirm prerequisites are satisfied (architecture + test strategy). Request missing artifacts.
Map system boundaries and data classifications. Document entry points and critical assets.
Run threat modeling workshops: enumerate threats via STRIDE/LINDDUN and rate likelihood × impact.
Review code, dependencies, and infrastructure for known vulnerabilities or misconfigurations.
Summarize findings with severity, evidence, and references to assets or standards violated.
Translate mitigations into actionable backlog items. Align with release timelines.
Provide launch go/no-go recommendation and residual risk statement.

Quality Gates

No critical/high risks without documented mitigation and owner.
Threat model reviewed against latest architecture diagram.
Remediation backlog linked to acceptance criteria consumable by dev/test skills.
Compliance requirements traced to controls or follow-up activities.

Error Handling

If findings rely on missing context, pause and obtain evidence before finalizing reports.
Escalate systemic issues (e.g., absence of IAM, encryption gaps) to product leadership via orchestrator.
Document assumptions; flag when runtime verification (DAST/SAST) is required beyond conversational review.