testing-security
Purpose
This skill automates security testing by integrating DAST tools (OWASP ZAP, Nuclei), SAST tools (Semgrep, Bandit), SCA tools (Snyk, Trivy), and secrets scanners (detect-secrets, TruffleHog) to identify vulnerabilities in code, applications, and secrets.
When to Use
Use this skill during CI/CD pipelines, before deployments, or for periodic audits; ideal for projects with web apps, APIs, or codebases in languages like Python, Java, or JavaScript where security flaws could lead to breaches.
Key Capabilities
- DAST: Run OWASP ZAP for active scanning of web apps, detecting issues like XSS or SQLi; use Nuclei for custom vulnerability templates.
- SAST: Execute Semgrep for pattern-based code analysis (e.g., YAML rulesets) or Bandit for Python-specific flaws like insecure imports.
- SCA: Leverage Snyk to scan dependencies for known CVEs via SBOM analysis; use Trivy for container image scanning with vulnerability databases.
- Secrets Detection: Apply detect-secrets to scan files for patterns like API keys; use TruffleHog for Git history scans to find exposed secrets.
- Integration: Combine tools in a single workflow, e.g., run SAST on code changes and DAST on staging environments.
Usage Patterns
Always configure tools via environment variables for authentication (e.g.,
for OWASP ZAP,
for Snyk). Start with a baseline scan on new projects, then automate in scripts.
- Pattern 1: For CI/CD, trigger SAST on pull requests and DAST on builds; example: Use GitHub Actions to run Semgrep on diffed files.
- Pattern 2: For local testing, chain tools sequentially—first run Trivy on Docker images, then Nuclei on URLs.
- Example 1: To scan a Python repo for SAST and secrets: Install tools, run Bandit on files, then detect-secrets; output results to a JSON report for parsing.
- Example 2: For a web app, perform DAST: Start OWASP ZAP in daemon mode, use to scan a URL, and follow with Nuclei for specific exploits.
Common Commands/API
Use these exact commands in scripts or terminals; ensure dependencies are installed (e.g., via pip or Docker).
- OWASP ZAP (DAST): Start with
zap.sh -daemon -port 8080
zap-cli -p 8080 quick-scan --spider https://target.com --report html
/JSON/core/action/newSession/
- Nuclei (DAST): Run
nuclei -t templates/ -u https://target.com -o results.txt
- Semgrep (SAST): Execute
semgrep --config p/default --lang python .
rules: - id: no-os-system patterns: - pattern: os.system(...)
- Bandit (SAST): Command:
bandit -r /path/to/code -f json
- Snyk (SCA): Authenticate with , then
snyk test --file=requirements.txt
https://snyk.io/api/v1/org/{orgId}/projects
- Trivy (SCA): Scan image:
trivy image myimage:latest --exit-code 1 --severity CRITICAL
- detect-secrets (Secrets): Run
detect-secrets scan > .secrets.baseline
detect-secrets hook --baseline .secrets.baseline
- TruffleHog (Secrets): Command:
trufflehog git https://github.com/repo --since-commit HEAD~1
Integration Notes
Integrate via scripts or orchestration tools like Jenkins or GitHub Actions; pass outputs as JSON for chaining. For auth, set env vars like
and
. Use Docker images (e.g.,
) for isolated runs. Config formats: YAML for Semgrep rules (e.g.,
{ patterns: [pattern: "regex"] }
), JSON for Snyk reports. Ensure tools are version-pinned (e.g., Semgrep v0.100.0) to avoid breaking changes.
Error Handling
Check exit codes after each command (e.g., Semgrep returns non-zero on findings); parse errors from stdout, like OWASP ZAP's JSON responses for "error" keys. Common issues: Network errors in DAST—retry with
; authentication failures—verify env vars (e.g., if
is invalid, output "Auth error"). Log all outputs to files and handle via try-catch in scripts, e.g., in Bash:
zap-cli quick-scan || echo "Scan failed: $?" >> error.log
. For API calls, check HTTP status codes (e.g., 401 for unauthorized).
Graph Relationships
- Related to: "testing" cluster (e.g., links to unit-testing or integration-testing skills for combined workflows).
- Depends on: OWASP ZAP for DAST, Semgrep for SAST.
- Integrates with: Snyk API for SCA, TruffleHog for secrets in version control systems.