Back to Details

security-scanner

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Scanner Skill

安全扫描技能

Purpose

用途

This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.
本技能可对代码库执行自动化安全扫描,识别漏洞、硬编码敏感信息、不安全依赖项以及危险编码模式。

When to Use

适用场景

  • Starting security assessment of a codebase
  • Pre-commit security checks
  • CI/CD pipeline security validation
  • Dependency vulnerability scanning
  • Secret detection in code
  • Static security analysis
  • 启动代码库安全评估时
  • 提交前安全检查
  • CI/CD 流水线安全验证
  • 依赖项漏洞扫描
  • 代码中的敏感信息检测
  • 静态安全分析

Scanning Workflow

扫描流程

1. Secret Detection

1. 敏感信息检测

Scan for Hardcoded Secrets:
bash
undefined
扫描硬编码敏感信息:
bash
undefined

Using grep patterns for common secrets

使用grep匹配常见敏感信息模式

grep -r -i "password\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "api_key\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "secret\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "token\s*=\s*['"]" src/ --include=".py" --include=".js"
grep -r -i "password\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "api_key\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "secret\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "token\s*=\s*['"]" src/ --include=".py" --include=".js"

AWS credentials

AWS凭证

grep -r "AKIA[0-9A-Z]{16}" src/ grep -r "aws_secret_access_key" src/
grep -r "AKIA[0-9A-Z]{16}" src/ grep -r "aws_secret_access_key" src/

Private keys

私钥

grep -r "BEGIN.*PRIVATE KEY" src/
grep -r "BEGIN.*PRIVATE KEY" src/

Database connection strings

数据库连接字符串

grep -r "postgresql://.:.@" src/ grep -r "mysql://.:.@" src/ grep -r "mongodb://.:.@" src/

**Use Dedicated Secret Scanners:**

```bash
grep -r "postgresql://.:.@" src/ grep -r "mysql://.:.@" src/ grep -r "mongodb://.:.@" src/

**使用专用敏感信息扫描工具:**

```bash

Gitleaks (if available)

Gitleaks(若已安装)

gitleaks detect --source . --report-format json --report-path gitleaks-report.json
gitleaks detect --source . --report-format json --report-path gitleaks-report.json

Trufflehog (if available)

Trufflehog(若已安装)

trufflehog filesystem . --json > trufflehog-report.json
trufflehog filesystem . --json > trufflehog-report.json

Git-secrets (if available)

Git-secrets(若已安装)

git secrets --scan

**Secrets to Look For:**
- API keys (AWS, Google Cloud, Azure, etc.)
- Database passwords
- Authentication tokens
- Private keys (SSH, TLS, etc.)
- OAuth secrets
- Encryption keys
- Service account credentials
- Third-party service keys (Stripe, Twilio, etc.)

**Deliverable:** List of files containing potential secrets with line numbers

---
git secrets --scan

**需检测的敏感信息类型:**
- API密钥(AWS、Google Cloud、Azure等)
- 数据库密码
- 认证令牌
- 私钥(SSH、TLS等)
- OAuth密钥
- 加密密钥
- 服务账号凭证
- 第三方服务密钥(Stripe、Twilio等)

**交付物:** 包含潜在敏感信息的文件列表及对应行号

---

2. Dependency Vulnerability Scanning

2. 依赖项漏洞扫描

Python Dependencies:
bash
undefined
Python依赖项:
bash
undefined

Using pip-audit (recommended)

使用pip-audit(推荐)

pip-audit --desc --format json > pip-audit-report.json
pip-audit --desc --format json > pip-audit-report.json

Using safety

使用safety

safety check --json > safety-report.json
safety check --json > safety-report.json

Check for outdated packages

检查过时包

pip list --outdated --format json

**Node.js Dependencies:**

```bash
pip list --outdated --format json

**Node.js依赖项:**

```bash

NPM audit

NPM审计

npm audit --json > npm-audit-report.json
npm audit --json > npm-audit-report.json

Yarn audit

Yarn审计

yarn audit --json > yarn-audit-report.json

**General Container/Filesystem Scanning:**

```bash
yarn audit --json > yarn-audit-report.json

**通用容器/文件系统扫描:**

```bash

Trivy (multi-language)

Trivy(多语言支持)

trivy filesystem . --format json --output trivy-report.json
trivy filesystem . --format json --output trivy-report.json

Check specific files

检查特定文件

trivy filesystem requirements.txt trivy filesystem package.json

**Dependency Checks:**
- Known CVEs in dependencies
- Outdated packages with security patches
- Unmaintained packages
- License compliance issues
- Transitive dependency vulnerabilities

**Deliverable:** Vulnerability report with CVE IDs, severity scores, and affected packages

---
trivy filesystem requirements.txt trivy filesystem package.json

**依赖项检查内容:**
- 依赖项中的已知CVE漏洞
- 存在安全补丁的过时包
- 无人维护的包
- 许可证合规问题
- 传递性依赖漏洞

**交付物:** 包含CVE编号、风险等级及受影响包的漏洞报告

---

3. Insecure Code Pattern Detection

3. 危险代码模式检测

SQL Injection Vulnerabilities:
bash
undefined
SQL注入漏洞:
bash
undefined

Python - Look for string concatenation in SQL queries

Python - 查找SQL查询中的字符串拼接

grep -r "execute.%." src/ --include=".py" grep -r "execute.+." src/ --include=".py" grep -r "cursor.execute.format" src/ --include=".py"
grep -r "execute.%." src/ --include=".py" grep -r "execute.+." src/ --include=".py" grep -r "cursor.execute.format" src/ --include=".py"

Look for string formatting in SQL

查找SQL中的字符串格式化

grep -r "SELECT.{" src/ --include=".py" grep -r "INSERT.{" src/ --include=".py" grep -r "UPDATE.{" src/ --include=".py" grep -r "DELETE.{" src/ --include=".py"

**Command Injection:**

```bash
grep -r "SELECT.{" src/ --include=".py" grep -r "INSERT.{" src/ --include=".py" grep -r "UPDATE.{" src/ --include=".py" grep -r "DELETE.{" src/ --include=".py"

**命令注入:**

```bash

Python - subprocess with shell=True

Python - 使用shell=True的subprocess

grep -r "subprocess.shell=True" src/ --include=".py" grep -r "os.system" src/ --include=".py" grep -r "os.popen" src/ --include=".py"
grep -r "subprocess.shell=True" src/ --include=".py" grep -r "os.system" src/ --include=".py" grep -r "os.popen" src/ --include=".py"

Node.js - child_process exec

Node.js - child_process exec

grep -r "child_process.exec" src/ --include=".js" grep -r ".exec(" src/ --include="*.js"

**Path Traversal:**

```bash
grep -r "child_process.exec" src/ --include=".js" grep -r ".exec(" src/ --include="*.js"

**路径遍历:**

```bash

Unsanitized file paths

未经过滤的文件路径

grep -r "open(.request." src/ --include=".py" grep -r "os.path.join(.request." src/ --include=".py" grep -r "readFile(.req." src/ --include=".js"

**Insecure Deserialization:**

```bash
grep -r "open(.request." src/ --include=".py" grep -r "os.path.join(.request." src/ --include=".py" grep -r "readFile(.req." src/ --include=".js"

**不安全反序列化:**

```bash

Python pickle

Python pickle

grep -r "pickle.loads" src/ --include=".py" grep -r "cPickle.loads" src/ --include=".py"
grep -r "pickle.loads" src/ --include=".py" grep -r "cPickle.loads" src/ --include=".py"

YAML load (unsafe)

YAML加载(不安全)

grep -r "yaml.load(" src/ --include="*.py"
grep -r "yaml.load(" src/ --include="*.py"

Node.js eval

Node.js eval

grep -r "eval(" src/ --include="*.js"

**Cross-Site Scripting (XSS):**

```bash
grep -r "eval(" src/ --include="*.js"

**跨站脚本攻击(XSS):**

```bash

HTML rendering without escaping

未转义的HTML渲染

grep -r ".innerHTML" src/ --include=".js" --include=".jsx" grep -r "dangerouslySetInnerHTML" src/ --include=".jsx" --include=".tsx"
grep -r ".innerHTML" src/ --include=".js" --include=".jsx" grep -r "dangerouslySetInnerHTML" src/ --include=".jsx" --include=".tsx"

Python templates without autoescape

未自动转义的Python模板

grep -r "autoescape=False" src/ --include="*.py"

**Weak Cryptography:**

```bash
grep -r "autoescape=False" src/ --include="*.py"

**弱加密:**

```bash

MD5, SHA1 usage

MD5、SHA1使用

grep -r "hashlib.md5" src/ --include=".py" grep -r "hashlib.sha1" src/ --include=".py" grep -r "crypto.createHash('md5')" src/ --include="*.js"
grep -r "hashlib.md5" src/ --include=".py" grep -r "hashlib.sha1" src/ --include=".py" grep -r "crypto.createHash('md5')" src/ --include="*.js"

Weak random

弱随机数

grep -r "random.random(" src/ --include=".py" grep -r "Math.random(" src/ --include=".js"

**Deliverable:** List of insecure code patterns with file locations and severity

---
grep -r "random.random(" src/ --include=".py" grep -r "Math.random(" src/ --include=".js"

**交付物:** 包含危险代码模式的文件位置及风险等级的列表

---

4. Authentication & Authorization Issues

4. 认证与授权问题检测

Missing Authentication:
bash
undefined
缺失认证机制:
bash
undefined

Python Flask routes without auth decorators

Python Flask路由无认证装饰器

grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"
grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"

Express routes without middleware

Express路由无中间件

grep -r "app.get|app.post" src/ --include="*.js" -A 1

**Hardcoded Credentials:**

```bash
grep -r "app.get|app.post" src/ --include="*.js" -A 1

**硬编码凭证:**

```bash

Default passwords

默认密码

grep -r "password.=.['"]admin['"]" src/ grep -r "password.=.['"]password['"]" src/ grep -r "password.=.['"]123456['"]" src/
grep -r "password.=.['"]admin['"]" src/ grep -r "password.=.['"]password['"]" src/ grep -r "password.=.['"]123456['"]" src/

Default tokens

默认令牌

grep -r "token.=.['"]test['"]" src/

**Session Management:**

```bash
grep -r "token.=.['"]test['"]" src/

**会话管理:**

```bash

Insecure session configuration

不安全的会话配置

grep -r "SESSION_COOKIE_SECURE.False" src/ --include=".py" grep -r "SESSION_COOKIE_HTTPONLY.False" src/ --include=".py" grep -r "SESSION_COOKIE_SAMESITE.None" src/ --include=".py"

**Deliverable:** Authentication and authorization gaps with recommendations

---
grep -r "SESSION_COOKIE_SECURE.False" src/ --include=".py" grep -r "SESSION_COOKIE_HTTPONLY.False" src/ --include=".py" grep -r "SESSION_COOKIE_SAMESITE.None" src/ --include=".py"

**交付物:** 认证与授权漏洞列表及修复建议

---

5. Static Analysis with Automated Tools

5. 自动化工具静态分析

Python - Bandit:
bash
undefined
Python - Bandit:
bash
undefined

Run bandit for Python security issues

运行Bandit检测Python安全问题

bandit -r src/ -f json -o bandit-report.json
bandit -r src/ -f json -o bandit-report.json

With specific tests

指定测试级别

bandit -r src/ -f json --severity-level medium
bandit -r src/ -f json --severity-level medium

Show only high severity

仅显示高风险问题

bandit -r src/ -ll

**Multi-language - Semgrep:**

```bash
bandit -r src/ -ll

**多语言 - Semgrep:**

```bash

Auto-detect and scan

自动检测并扫描

semgrep --config=auto . --json > semgrep-report.json
semgrep --config=auto . --json > semgrep-report.json

OWASP Top 10 rules

OWASP Top 10规则

semgrep --config=p/owasp-top-ten . --json
semgrep --config=p/owasp-top-ten . --json

Security audit

安全审计

semgrep --config=p/security-audit . --json
semgrep --config=p/security-audit . --json

Python-specific

Python专属规则

semgrep --config=p/python . --json

**JavaScript - ESLint Security:**

```bash
semgrep --config=p/python . --json

**JavaScript - ESLint Security:**

```bash

With security plugin

使用安全插件

eslint src/ --format json > eslint-report.json
eslint src/ --format json > eslint-report.json

With security-specific rules

使用安全专属规则

eslint src/ --plugin security --format json

**Deliverable:** Automated tool reports with findings categorized by severity

---
eslint src/ --plugin security --format json

**交付物:** 按风险等级分类的自动化工具扫描报告

---

6. Configuration Security

6. 配置安全检查

Environment Files:
bash
undefined
环境文件:
bash
undefined

Check for committed .env files

检查已提交的.env文件

find . -name ".env" -o -name ".env.*" | grep -v ".env.example"
find . -name ".env" -o -name ".env.*" | grep -v ".env.example"

Check .gitignore

检查.gitignore

grep -q ".env" .gitignore || echo "WARNING: .env not in .gitignore"

**Security Headers:**

```bash
grep -q ".env" .gitignore || echo "WARNING: .env not in .gitignore"

**安全头:**

```bash

Check for security header configuration

检查安全头配置

grep -r "X-Frame-Options" src/ config/ grep -r "Content-Security-Policy" src/ config/ grep -r "X-Content-Type-Options" src/ config/ grep -r "Strict-Transport-Security" src/ config/

**CORS Configuration:**

```bash
grep -r "X-Frame-Options" src/ config/ grep -r "Content-Security-Policy" src/ config/ grep -r "X-Content-Type-Options" src/ config/ grep -r "Strict-Transport-Security" src/ config/

**CORS配置:**

```bash

Overly permissive CORS

过度宽松的CORS设置

grep -r "Access-Control-Allow-Origin.*" src/ config/ grep -r "cors().origin:.*" src/ --include=".js"

**Deliverable:** Configuration security issues and recommendations

---
grep -r "Access-Control-Allow-Origin.*" src/ config/ grep -r "cors().origin:.*" src/ --include=".js"

**交付物:** 配置安全问题列表及修复建议

---

Scanning Output Format

扫描输出格式

Create a security scan report:
markdown
undefined
创建安全扫描报告:
markdown
undefined

Security Scan Report

安全扫描报告

Date: [YYYY-MM-DD] Scan Scope: [path/to/code] Scanner Version: [tool versions]
日期:[YYYY-MM-DD] 扫描范围:[path/to/code] 扫描工具版本:[工具版本]

Summary

摘要

  • Critical Issues: [count]
  • High Issues: [count]
  • Medium Issues: [count]
  • Low Issues: [count]
  • Informational: [count]
  • 严重问题:[数量]
  • 高风险问题:[数量]
  • 中风险问题:[数量]
  • 低风险问题:[数量]
  • 信息提示:[数量]

Critical Issues

严重问题

[Issue Title]

[问题标题]

File: [path/to/file:line] Category: [Secret/Injection/etc.] Severity: Critical
Description: [What was found]
Evidence:
[code snippet]
Recommendation: [How to fix]
文件:[path/to/file:line] 类别:[敏感信息/注入等] 风险等级:严重
描述:[检测到的内容]
证据
[代码片段]
修复建议:[修复方案]

High Issues

高风险问题

[Similar format]
[类似格式]

Medium Issues

中风险问题

[Similar format]
[类似格式]

Low Issues

低风险问题

[Similar format]
[类似格式]

Tool Reports

工具报告

Dependency Scan (pip-audit)

依赖项扫描(pip-audit)

  • Vulnerable packages: [count]
  • CVEs found: [list]
  • 漏洞包数量:[数量]
  • 检测到的CVE:[列表]

Secret Detection (gitleaks)

敏感信息检测(gitleaks)

  • Secrets found: [count]
  • Types: [API keys, passwords, etc.]
  • 敏感信息数量:[数量]
  • 类型:[API密钥、密码等]

Static Analysis (bandit)

静态分析(bandit)

  • Issues found: [count]
  • Most common: [issue type]
  • 问题数量:[数量]
  • 最常见类型:[问题类型]

Recommendations

修复建议

Immediate Actions (Critical/High)

立即处理(严重/高风险)

  1. [Action 1]
  2. [Action 2]
  1. [行动1]
  2. [行动2]

Short-term (Medium)

短期处理(中风险)

  1. [Action 1]
  1. [行动1]

Long-term (Low)

长期优化(低风险)

  1. [Action 1]
  1. [行动1]

False Positives

误报

[List any false positives to ignore in future scans]

---
[列出未来扫描可忽略的误报项]

---

Best Practices

最佳实践

Secret Scanning:
  • Always scan before committing code
  • Check git history for past secrets
  • Use pre-commit hooks for automated scanning
  • Never commit .env files
  • Use secret management tools (Vault, AWS Secrets Manager)
Dependency Scanning:
  • Scan before adding new dependencies
  • Keep dependencies updated
  • Monitor for new vulnerabilities
  • Use lock files (requirements.txt, package-lock.json)
  • Consider dependency pinning
Code Pattern Detection:
  • Focus on user input handling
  • Check all database queries
  • Review file operations
  • Validate all external inputs
  • Sanitize all outputs
Automated Tools:
  • Run multiple tools for better coverage
  • Configure tools with project-specific rules
  • Integrate into CI/CD pipeline
  • Review and triage findings
  • Track false positives
敏感信息扫描:
  • 提交代码前务必扫描
  • 检查Git历史记录中的过往敏感信息
  • 使用提交前钩子实现自动化扫描
  • 绝对不要提交.env文件
  • 使用敏感信息管理工具(Vault、AWS Secrets Manager)
依赖项扫描:
  • 添加新依赖项前先扫描
  • 保持依赖项更新
  • 监控新出现的漏洞
  • 使用锁定文件(requirements.txt、package-lock.json)
  • 考虑依赖项版本固定
代码模式检测:
  • 重点关注用户输入处理
  • 检查所有数据库查询
  • 审核文件操作逻辑
  • 验证所有外部输入
  • 清理所有输出内容
自动化工具:
  • 运行多个工具以提升覆盖范围
  • 根据项目需求配置工具规则
  • 集成到CI/CD流水线中
  • 审核并分类扫描结果
  • 跟踪误报项

Supporting Scripts

辅助脚本

Quick Scan Script (
scripts/quick-security-scan.sh
):
bash
#!/bin/bash
快速扫描脚本 (
scripts/quick-security-scan.sh
):
bash
#!/bin/bash

Quick security scan

Quick security scan

echo "Running security scans..."
echo "Running security scans..."

Secret detection

Secret detection

echo "1. Scanning for secrets..." gitleaks detect --no-git || echo "Gitleaks not available"
echo "1. Scanning for secrets..." gitleaks detect --no-git || echo "Gitleaks not available"

Dependency check

Dependency check

echo "2. Checking dependencies..." if [ -f requirements.txt ]; then pip-audit || echo "pip-audit not available" fi
echo "2. Checking dependencies..." if [ -f requirements.txt ]; then pip-audit || echo "pip-audit not available" fi

Static analysis

Static analysis

echo "3. Running static analysis..." if [ -d src ]; then bandit -r src/ -ll || echo "Bandit not available" fi
echo "Scan complete!"

---
echo "3. Running static analysis..." if [ -d src ]; then bandit -r src/ -ll || echo "Bandit not available" fi
echo "Scan complete!"

---

Integration with Security Assessment

与安全评估的集成

Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis
输入:待扫描的代码库 流程:使用多工具执行自动化扫描 输出:包含扫描结果的安全扫描报告 下一步:漏洞评估以开展详细分析

Tools Installation

工具安装

Python Security Tools:
bash
pip install pip-audit safety bandit
Secret Scanners:
bash
undefined
Python安全工具:
bash
pip install pip-audit safety bandit
敏感信息扫描工具:
bash
undefined

Gitleaks (via binary release)

Gitleaks(通过二进制发布包安装)

See: https://github.com/gitleaks/gitleaks/releases

参考:https://github.com/gitleaks/gitleaks/releases

Trufflehog

Trufflehog

pip install truffleHog

**Multi-language:**

```bash
pip install truffleHog

**多语言工具:**

```bash

Semgrep

Semgrep

pip install semgrep
pip install semgrep

Trivy (via binary release)

Trivy(通过二进制发布包安装)

See: https://github.com/aquasecurity/trivy/releases

参考:https://github.com/aquasecurity/trivy/releases


---

---

Scan Frequency

扫描频率

  • Pre-commit: Secret detection
  • Daily: Dependency scanning
  • Weekly: Full static analysis
  • Before PR: Complete security scan
  • Before release: Comprehensive assessment
  • 提交前:敏感信息检测
  • 每日:依赖项扫描
  • 每周:完整静态分析
  • PR创建前:全面安全扫描
  • 发布前:综合性安全评估

Remember

注意事项

  • Automate everything: Use tools, don't scan manually
  • Multiple tools: Each catches different issues
  • Triage findings: Not all findings are exploitable
  • Fix high severity first: Prioritize by risk
  • Track over time: Monitor security trends
  • Update tools: Keep scanners current
  • Document exceptions: Log false positives
Your goal is to identify security issues early and comprehensively through automated scanning.
  • 自动化优先:使用工具而非手动扫描
  • 多工具协同:不同工具可检测不同问题
  • 结果分类:并非所有扫描结果都可被利用
  • 优先修复高风险:按风险等级排序处理
  • 长期跟踪:监控安全趋势
  • 工具更新:保持扫描工具为最新版本
  • 例外记录:记录误报项
你的目标是通过自动化扫描尽早且全面地识别安全问题。