Find Bugs

Find bugs, security flaws, and code issues in branch changes

✨ The solution you've been looking for

Verified

Tested and verified by our team

16036 Stars

Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.

security code-review vulnerability-assessment git audit quality-assurance static-analysis penetration-testing

Repository

See It In Action

Interactive preview & real-world examples

Live Demo

AI Conversation Simulator

See how users interact with this skill

User Prompt

Please review the changes in my current branch for any security vulnerabilities or bugs before I submit this PR

Skill Processing

Analyzing request...

Agent Response

Detailed security assessment with prioritized findings, evidence, and concrete fix suggestions

Quick Start (3 Steps)

Get up and running in minutes

Install

claude-code skill install find-bugs

claude-code skill install find-bugs

Config

First Trigger

@find-bugs help

Commands

Command	Description	Required Args
@find-bugs pre-merge-security-review	Comprehensive security audit of code changes before merging to production	None
@find-bugs bug-hunt-in-feature-branch	Thorough code quality review focusing on logic errors and potential runtime issues	None
@find-bugs owasp-compliance-check	Standards-based security verification against common vulnerability patterns	None

Typical Use Cases

Pre-merge Security Review

Comprehensive security audit of code changes before merging to production

Bug Hunt in Feature Branch

Thorough code quality review focusing on logic errors and potential runtime issues

OWASP Compliance Check

Standards-based security verification against common vulnerability patterns

Overview

Find Bugs

Review changes on this branch for bugs, security vulnerabilities, and code quality issues.

Phase 1: Complete Input Gathering

Get the FULL diff: git diff master...HEAD
If output is truncated, read each changed file individually until you have seen every changed line
List all files modified in this branch before proceeding

Phase 2: Attack Surface Mapping

For each changed file, identify and list:

All user inputs (request params, headers, body, URL components)
All database queries
All authentication/authorization checks
All session/state operations
All external calls
All cryptographic operations

Phase 3: Security Checklist (check EVERY item for EVERY file)

Injection: SQL, command, template, header injection
XSS: All outputs in templates properly escaped?
Authentication: Auth checks on all protected operations?
Authorization/IDOR: Access control verified, not just auth?
CSRF: State-changing operations protected?
Race conditions: TOCTOU in any read-then-write patterns?
Session: Fixation, expiration, secure flags?
Cryptography: Secure random, proper algorithms, no secrets in logs?
Information disclosure: Error messages, logs, timing attacks?
DoS: Unbounded operations, missing rate limits, resource exhaustion?
Business logic: Edge cases, state machine violations, numeric overflow?

Phase 4: Verification

For each potential issue:

Check if it’s already handled elsewhere in the changed code
Search for existing tests covering the scenario
Read surrounding context to verify the issue is real

Phase 5: Pre-Conclusion Audit

Before finalizing, you MUST:

List every file you reviewed and confirm you read it completely
List every checklist item and note whether you found issues or confirmed it’s clean
List any areas you could NOT fully verify and why
Only then provide your final findings