Security Scanner Skill

Purpose

This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.

When to Use

Starting security assessment of a codebase
Pre-commit security checks
CI/CD pipeline security validation
Dependency vulnerability scanning
Secret detection in code
Static security analysis

Scanning Workflow

1. Secret Detection

Scan for Hardcoded Secrets:

bash

# Using grep patterns for common secrets
grep -r -i "password\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "api_key\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "secret\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "token\s*=\s*['\"]" src/ --include="*.py" --include="*.js"

# AWS credentials
grep -r "AKIA[0-9A-Z]{16}" src/
grep -r "aws_secret_access_key" src/

# Private keys
grep -r "BEGIN.*PRIVATE KEY" src/

# Database connection strings
grep -r "postgresql://.*:.*@" src/
grep -r "mysql://.*:.*@" src/
grep -r "mongodb://.*:.*@" src/

Use Dedicated Secret Scanners:

bash

# Gitleaks (if available)
gitleaks detect --source . --report-format json --report-path gitleaks-report.json

# Trufflehog (if available)
trufflehog filesystem . --json > trufflehog-report.json

# Git-secrets (if available)
git secrets --scan

Secrets to Look For:

API keys (AWS, Google Cloud, Azure, etc.)
Database passwords
Authentication tokens
Private keys (SSH, TLS, etc.)
OAuth secrets
Encryption keys
Service account credentials
Third-party service keys (Stripe, Twilio, etc.)

Deliverable: List of files containing potential secrets with line numbers

2. Dependency Vulnerability Scanning

Python Dependencies:

bash

# Using pip-audit (recommended)
pip-audit --desc --format json > pip-audit-report.json

# Using safety
safety check --json > safety-report.json

# Check for outdated packages
pip list --outdated --format json

Node.js Dependencies:

bash

# NPM audit
npm audit --json > npm-audit-report.json

# Yarn audit
yarn audit --json > yarn-audit-report.json

General Container/Filesystem Scanning:

bash

# Trivy (multi-language)
trivy filesystem . --format json --output trivy-report.json

# Check specific files
trivy filesystem requirements.txt
trivy filesystem package.json

Dependency Checks:

Known CVEs in dependencies
Outdated packages with security patches
Unmaintained packages
License compliance issues
Transitive dependency vulnerabilities

Deliverable: Vulnerability report with CVE IDs, severity scores, and affected packages

3. Insecure Code Pattern Detection

SQL Injection Vulnerabilities:

bash

# Python - Look for string concatenation in SQL queries
grep -r "execute.*%.*" src/ --include="*.py"
grep -r "execute.*\+.*" src/ --include="*.py"
grep -r "cursor.execute.*format" src/ --include="*.py"

# Look for string formatting in SQL
grep -r "SELECT.*{" src/ --include="*.py"
grep -r "INSERT.*{" src/ --include="*.py"
grep -r "UPDATE.*{" src/ --include="*.py"
grep -r "DELETE.*{" src/ --include="*.py"

Command Injection:

bash

# Python - subprocess with shell=True
grep -r "subprocess.*shell=True" src/ --include="*.py"
grep -r "os.system" src/ --include="*.py"
grep -r "os.popen" src/ --include="*.py"

# Node.js - child_process exec
grep -r "child_process.*exec" src/ --include="*.js"
grep -r "\.exec(" src/ --include="*.js"

Path Traversal:

bash

# Unsanitized file paths
grep -r "open(.*request\." src/ --include="*.py"
grep -r "os.path.join(.*request\." src/ --include="*.py"
grep -r "readFile(.*req\." src/ --include="*.js"

Insecure Deserialization:

bash

# Python pickle
grep -r "pickle.loads" src/ --include="*.py"
grep -r "cPickle.loads" src/ --include="*.py"

# YAML load (unsafe)
grep -r "yaml.load(" src/ --include="*.py"

# Node.js eval
grep -r "eval(" src/ --include="*.js"

Cross-Site Scripting (XSS):

bash

# HTML rendering without escaping
grep -r "\.innerHTML" src/ --include="*.js" --include="*.jsx"
grep -r "dangerouslySetInnerHTML" src/ --include="*.jsx" --include="*.tsx"

# Python templates without autoescape
grep -r "autoescape=False" src/ --include="*.py"

Weak Cryptography:

bash

# MD5, SHA1 usage
grep -r "hashlib.md5" src/ --include="*.py"
grep -r "hashlib.sha1" src/ --include="*.py"
grep -r "crypto.createHash('md5')" src/ --include="*.js"

# Weak random
grep -r "random.random(" src/ --include="*.py"
grep -r "Math.random(" src/ --include="*.js"

Deliverable: List of insecure code patterns with file locations and severity

4. Authentication & Authorization Issues

Missing Authentication:

bash

# Python Flask routes without auth decorators
grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"

# Express routes without middleware
grep -r "app.get\|app.post" src/ --include="*.js" -A 1

Hardcoded Credentials:

bash

# Default passwords
grep -r "password.*=.*['\"]admin['\"]" src/
grep -r "password.*=.*['\"]password['\"]" src/
grep -r "password.*=.*['\"]123456['\"]" src/

# Default tokens
grep -r "token.*=.*['\"]test['\"]" src/

Session Management:

bash

# Insecure session configuration
grep -r "SESSION_COOKIE_SECURE.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_HTTPONLY.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_SAMESITE.*None" src/ --include="*.py"

Deliverable: Authentication and authorization gaps with recommendations

5. Static Analysis with Automated Tools

Python - Bandit:

bash

# Run bandit for Python security issues
bandit -r src/ -f json -o bandit-report.json

# With specific tests
bandit -r src/ -f json --severity-level medium

# Show only high severity
bandit -r src/ -ll

Multi-language - Semgrep:

bash

# Auto-detect and scan
semgrep --config=auto . --json > semgrep-report.json

# OWASP Top 10 rules
semgrep --config=p/owasp-top-ten . --json

# Security audit
semgrep --config=p/security-audit . --json

# Python-specific
semgrep --config=p/python . --json

JavaScript - ESLint Security:

bash

# With security plugin
eslint src/ --format json > eslint-report.json

# With security-specific rules
eslint src/ --plugin security --format json

Deliverable: Automated tool reports with findings categorized by severity

6. Configuration Security

Environment Files:

bash

# Check for committed .env files
find . -name ".env" -o -name ".env.*" | grep -v ".env.example"

# Check .gitignore
grep -q "\.env" .gitignore || echo "WARNING: .env not in .gitignore"

Security Headers:

bash

# Check for security header configuration
grep -r "X-Frame-Options" src/ config/
grep -r "Content-Security-Policy" src/ config/
grep -r "X-Content-Type-Options" src/ config/
grep -r "Strict-Transport-Security" src/ config/

CORS Configuration:

bash

# Overly permissive CORS
grep -r "Access-Control-Allow-Origin.*\*" src/ config/
grep -r "cors().*origin:.*\*" src/ --include="*.js"

Deliverable: Configuration security issues and recommendations

Scanning Output Format

Create a security scan report:

markdown

# Security Scan Report

**Date**: [YYYY-MM-DD]
**Scan Scope**: [path/to/code]
**Scanner Version**: [tool versions]

## Summary

- **Critical Issues**: [count]
- **High Issues**: [count]
- **Medium Issues**: [count]
- **Low Issues**: [count]
- **Informational**: [count]

## Critical Issues

### [Issue Title]

**File**: [path/to/file:line]
**Category**: [Secret/Injection/etc.]
**Severity**: Critical

**Description**: [What was found]

**Evidence**:

[code snippet]


**Recommendation**: [How to fix]

---

## High Issues

[Similar format]

## Medium Issues

[Similar format]

## Low Issues

[Similar format]

## Tool Reports

### Dependency Scan (pip-audit)
- Vulnerable packages: [count]
- CVEs found: [list]

### Secret Detection (gitleaks)
- Secrets found: [count]
- Types: [API keys, passwords, etc.]

### Static Analysis (bandit)
- Issues found: [count]
- Most common: [issue type]

## Recommendations

### Immediate Actions (Critical/High)
1. [Action 1]
2. [Action 2]

### Short-term (Medium)
1. [Action 1]

### Long-term (Low)
1. [Action 1]

## False Positives

[List any false positives to ignore in future scans]

Best Practices

Secret Scanning:

Always scan before committing code
Check git history for past secrets
Use pre-commit hooks for automated scanning
Never commit .env files
Use secret management tools (Vault, AWS Secrets Manager)

Dependency Scanning:

Scan before adding new dependencies
Keep dependencies updated
Monitor for new vulnerabilities
Use lock files (requirements.txt, package-lock.json)
Consider dependency pinning

Code Pattern Detection:

Focus on user input handling
Check all database queries
Review file operations
Validate all external inputs
Sanitize all outputs

Automated Tools:

Run multiple tools for better coverage
Configure tools with project-specific rules
Integrate into CI/CD pipeline
Review and triage findings
Track false positives

Supporting Scripts

Quick Scan Script (

scripts/quick-security-scan.sh

bash

#!/bin/bash
# Quick security scan

echo "Running security scans..."

# Secret detection
echo "1. Scanning for secrets..."
gitleaks detect --no-git || echo "Gitleaks not available"

# Dependency check
echo "2. Checking dependencies..."
if [ -f requirements.txt ]; then
    pip-audit || echo "pip-audit not available"
fi

# Static analysis
echo "3. Running static analysis..."
if [ -d src ]; then
    bandit -r src/ -ll || echo "Bandit not available"
fi

echo "Scan complete!"

Integration with Security Assessment

Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis

Tools Installation

Python Security Tools:

bash

pip install pip-audit safety bandit

Secret Scanners:

bash

# Gitleaks (via binary release)
# See: https://github.com/gitleaks/gitleaks/releases

# Trufflehog
pip install truffleHog

Multi-language:

bash

# Semgrep
pip install semgrep

# Trivy (via binary release)
# See: https://github.com/aquasecurity/trivy/releases

Scan Frequency

Pre-commit: Secret detection
Daily: Dependency scanning
Weekly: Full static analysis
Before PR: Complete security scan
Before release: Comprehensive assessment

Remember

Automate everything: Use tools, don't scan manually
Multiple tools: Each catches different issues
Triage findings: Not all findings are exploitable
Fix high severity first: Prioritize by risk
Track over time: Monitor security trends
Update tools: Keep scanners current
Document exceptions: Log false positives

Your goal is to identify security issues early and comprehensively through automated scanning.

security-scanner

NPX Install

Tags

SKILL.md Content

Security Scanner Skill

Purpose

When to Use

Scanning Workflow

1. Secret Detection

2. Dependency Vulnerability Scanning

3. Insecure Code Pattern Detection

4. Authentication & Authorization Issues

5. Static Analysis with Automated Tools

6. Configuration Security

Scanning Output Format

Best Practices

Supporting Scripts

Integration with Security Assessment

Tools Installation

Scan Frequency

Remember