security-scan

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Scan

安全扫描

Purpose

用途

Auto-detect and run available security scanning tools, producing a structured markdown report. Language-specific scanners activate automatically based on detected project files. Missing tools are skipped with installation guidance.

自动检测并运行可用的安全扫描工具，生成结构化的Markdown报告。会根据检测到的项目文件自动激活特定语言的扫描器。若工具缺失会跳过并提供安装指引。

Scan Modes

扫描模式

Mode	Flag	Behavior
Full scan (default)	(none)	Scans the entire target directory
Full scan (explicit)	`--full`	Same as default; use to make intent explicit in scripts or CI
Strict mode	`--strict`	Exit with non-zero code when findings are detected (for CI gates)

Both modes scan the full directory tree. Pass

--full

when calling from a workflow that combines this skill with diff-scoped reviews (e.g.,

security-review

) so the output header clearly identifies the scan scope.

Use

--strict

in CI pipelines or pre-commit hooks to fail the build when security findings are detected. Without

--strict

, the script always exits 0 after completing the scan (findings are reported in markdown output, but don't fail the pipeline).

模式	参数	行为说明
全量扫描（默认）	(无)	扫描整个目标目录
全量扫描（显式）	`--full`	与默认模式效果相同；用于在脚本或CI中明确扫描意图
严格模式	`--strict`	检测到问题时返回非零退出码（用于CI门禁）

两种模式都会扫描完整的目录树。当在工作流中结合该技能与差异范围审查（如

security-review

）时，传入

--full

参数可让输出标题清晰标识扫描范围。

在CI流水线或预提交钩子中使用

--strict

参数，可在检测到安全问题时终止构建。若不使用

--strict

，脚本完成扫描后始终返回0（问题会在Markdown输出中报告，但不会终止流水线）。

Workflow

工作流程

Step 1: Run the Scanner

步骤1：运行扫描器

Execute the bundled script from the project root:

bash

undefined

从项目根目录执行捆绑脚本：

bash

undefined

Default: scan full codebase

默认：扫描全量代码库

bash skills/security-scan/scripts/run-scans.sh [target-directory]

bash skills/security-scan/scripts/run-scans.sh [目标目录]

Explicit full scan (identical result, intent is documented in output)

显式全量扫描（结果相同，输出中会明确记录意图）

bash skills/security-scan/scripts/run-scans.sh --full [target-directory]

bash skills/security-scan/scripts/run-scans.sh --full [目标目录]

Strict mode: exit non-zero if findings detected (for CI gates)

严格模式：检测到问题时返回非零退出码（用于CI门禁）

bash skills/security-scan/scripts/run-scans.sh --strict [target-directory]


If the skills directory is elsewhere, use the absolute path:

```bash
bash ~/.claude/skills/security-scan/scripts/run-scans.sh [--full] [--strict] [target-directory]

If the script is unavailable, run tools manually per the Manual Scan section.

bash skills/security-scan/scripts/run-scans.sh --strict [目标目录]


若skills目录位于其他位置，请使用绝对路径：

```bash
bash ~/.claude/skills/security-scan/scripts/run-scans.sh [--full] [--strict] [目标目录]

若脚本不可用，请按照手动扫描部分的说明手动运行工具。

Step 2: Review Raw Output

步骤2：查看原始输出

The script produces a markdown report. Parse each

## Tool:

section:

Status: Skipped — tool not installed, note for summary
Status: Ran / No issues found — clean for this tool
Status: Ran + findings — requires triage

脚本会生成一份Markdown报告，请解析每个

## Tool:

部分：

状态：已跳过 — 工具未安装，需在总结中记录
状态：已运行 / 未发现问题 — 该工具扫描结果正常
状态：已运行 + 问题记录 — 需要分类处理

Step 3: Triage Findings

步骤3：问题分类处理

For each finding:

Confirm it is in production code (not test fixtures or example files)
Check whether it is protected by existing validation or encoding
Classify severity: Critical / High / Medium / Low
Mark confirmed vs. likely false positive

Common false positives:

Pattern	Likely False Positive When
Secret detected	Value matches `example` , `test` , `dummy` , `PLACEHOLDER`
Dependency vuln	Only affects dev/test dependencies
Insecure function	Input is validated upstream
Weak crypto	Used for non-security purpose (e.g., cache key)

针对每个检测到的问题：

确认问题是否存在于生产代码中（而非测试用例或示例文件）
检查是否已有验证或编码机制保护
分类严重程度：关键 / 高 / 中 / 低
标记为已确认问题或疑似误报

常见误报场景：

模式	疑似误报的情况
检测到密钥	值包含 `example` 、 `test` 、 `dummy` 、 `PLACEHOLDER` 等字样
依赖漏洞	仅影响开发/测试依赖
不安全函数	输入已在上游完成验证
弱加密算法	用于非安全场景（如缓存键）

Step 4: Report

步骤4：生成报告

Present findings in this structure:

markdown

undefined

按照以下结构呈现问题：

markdown

undefined

Security Scan Summary

安全扫描总结

Date: <ISO 8601> Directory: <path> Mode: full | full (--full) Tools run: N | Tools skipped: N | Tools with findings: N

日期: <ISO 8601格式> 目录: <路径> 模式: full | full (--full) 已运行工具: N | 已跳过工具: N | 检测到问题的工具: N

Confirmed Findings

已确认问题

Severity	Tool	Description	File / Location
Critical	gitleaks	AWS key exposed in git history	commit abc123
High	npm audit	lodash < 4.17.21 prototype pollution	package.json

严重程度	工具	描述	文件 / 位置
关键	gitleaks	Git历史中暴露AWS密钥	提交记录abc123
高	npm audit	lodash < 4.17.21原型污染	package.json

Likely False Positives

疑似误报

Tool	Description	Reason dismissed
semgrep	eval() usage	Only in sandboxed test runner

工具	描述	排除原因
semgrep	使用eval()	仅在沙箱测试运行器中出现

Install Missing Tools

安装缺失工具

<list tools skipped with install commands> ```

<列出已跳过的工具及安装命令>

undefined

Tool Coverage

工具覆盖范围

Universal (always attempted)

通用工具（始终尝试运行）

Tool	Purpose	Install
`gitleaks`	Secret detection in git history and working tree	`brew install gitleaks`
`semgrep`	Static analysis with OWASP and security rule packs	`brew install semgrep`
`grype`	Filesystem vulnerability scanning	`brew install grype`

工具	用途	安装方式
`gitleaks`	检测Git历史和工作区中的密钥泄露	`brew install gitleaks`
`semgrep`	使用OWASP和安全规则包进行静态分析	`brew install semgrep`
`grype`	文件系统漏洞扫描	`brew install grype`

Language-Specific (auto-detected)

特定语言工具（自动检测）

Marker File	Tool	Purpose	Install
`package.json`	`npm audit`	JS/TS dependency vulnerabilities	bundled with Node.js
`requirements.txt` / `pyproject.toml` / `setup.py`	`bandit`	Python insecure code patterns	`pip install bandit`
`requirements.txt` / `pyproject.toml` / `setup.py`	`pip-audit`	Python dependency audit	`pip install pip-audit`
`go.mod`	`gosec`	Go insecure code patterns	`go install github.com/securego/gosec/v2/cmd/gosec@latest`
`go.mod`	`govulncheck`	Go module vulnerability database	`go install golang.org/x/vuln/cmd/govulncheck@latest`
`Cargo.toml`	`cargo audit`	Rust dependency audit	`cargo install cargo-audit`
`Gemfile`	`bundle-audit`	Ruby gem vulnerability audit	`gem install bundler-audit`

标记文件	工具	用途	安装方式
`package.json`	`npm audit`	JS/TS依赖漏洞检测	随Node.js自带
`requirements.txt` / `pyproject.toml` / `setup.py`	`bandit`	Python不安全代码模式检测	`pip install bandit`
`requirements.txt` / `pyproject.toml` / `setup.py`	`pip-audit`	Python依赖审计	`pip install pip-audit`
`go.mod`	`gosec`	Go不安全代码模式检测	`go install github.com/securego/gosec/v2/cmd/gosec@latest`
`go.mod`	`govulncheck`	Go模块漏洞数据库检测	`go install golang.org/x/vuln/cmd/govulncheck@latest`
`Cargo.toml`	`cargo audit`	Rust依赖审计	`cargo install cargo-audit`
`Gemfile`	`bundle-audit`	Ruby Gem漏洞审计	`gem install bundler-audit`

Manual Scan

手动扫描

When the bundled script is unavailable, run each tool directly:

bash

undefined

当捆绑脚本不可用时，可直接运行各工具：

bash

undefined

Secrets

密钥检测

gitleaks detect --no-banner -v

Static analysis

静态分析

semgrep scan --config=auto --quiet

Filesystem vulnerability scanning

文件系统漏洞扫描

grype dir:.

Node.js

npm audit --omit=dev

Python

bandit -r . -q --severity-level medium pip-audit

Go

gosec -quiet ./... govulncheck ./...

Rust

cargo audit

Ruby

bundle-audit check --update

undefined

bundle-audit check --update

undefined

Integration

集成方案

security-review — use after this scan to perform AI-driven code analysis; pass
```
--full
```
to that skill to review the entire codebase alongside this full scan
CI pipeline — run as a pre-merge gate using
```
--strict
```
to fail when findings are detected; without
```
--strict
```
, scans exit 0 (findings are reported in output only)

security-review — 在本次扫描后使用该技能进行AI驱动的代码分析；传入
```
--full
```
参数可让该技能结合本次全量扫描结果审查整个代码库
CI流水线 — 使用
```
--strict
```
参数作为预合并门禁，检测到问题时终止构建；若不使用
```
--strict
```
，扫描完成后返回0（仅在输出中报告问题）

Bundled Resources

捆绑资源

File	Purpose
`scripts/run-scans.sh`	Scanner runner with auto-detection and markdown output

文件	用途
`scripts/run-scans.sh`	具备自动检测功能并生成Markdown输出的扫描器运行脚本