security-scan
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Scanning
安全扫描
Perform comprehensive security scanning across your entire stack including applications, infrastructure, containers, dependencies, and cloud environments. This skill integrates LLM-based security analysis with industry-standard tools to identify vulnerabilities, misconfigurations, and security weaknesses.
对您的整个技术栈进行全面安全扫描,包括应用程序、基础设施、容器、依赖项和云环境。该技能将基于LLM的安全分析与行业标准工具相结合,以识别漏洞、配置错误和安全弱点。
When to use me
何时使用我
Use this skill when:
- You need a complete security assessment of your application and infrastructure
- You want to integrate multiple security scanning tools into a unified workflow
- You need LLM-powered analysis to identify complex security issues
- You're preparing for security audits or compliance certifications
- You want to establish baseline security scanning in CI/CD pipelines
- You need to scan across multiple environments (cloud, containers, infrastructure)
在以下场景中使用本技能:
- 您需要对应用程序和基础设施进行完整的安全评估
- 您希望将多个安全扫描工具集成到统一工作流中
- 您需要LLM驱动的分析来识别复杂安全问题
- 您正在准备安全审计或合规认证
- 您希望在CI/CD流水线中建立基线安全扫描
- 您需要跨多个环境(云、容器、基础设施)进行扫描
What I do
我能做什么
- LLM-based security analysis: Use AI to identify complex security patterns, business logic flaws, and novel vulnerabilities
- Integrated tool ecosystem: Orchestrate OWASP ZAP, Snyk, Trivy, Nessus, and other security scanners
- Multi-layer scanning: Application (SAST/DAST), infrastructure (IaC scanning), containers, dependencies, cloud configurations
- Vulnerability correlation: Correlate findings across different scanning tools to prioritize critical issues
- Compliance mapping: Map vulnerabilities to compliance frameworks (SOC 2, ISO 27001, HIPAA, GDPR)
- Remediation guidance: Provide specific, actionable remediation steps for each finding
- Risk scoring: Calculate risk scores based on CVSS, exploit availability, and business impact
- 基于LLM的安全分析:使用AI识别复杂的安全模式、业务逻辑缺陷和新型漏洞
- 集成工具生态系统:编排OWASP ZAP、Snyk、Trivy、Nessus等安全扫描器
- 多层扫描:应用程序(SAST/DAST)、基础设施(IaC扫描)、容器、依赖项、云配置
- 漏洞关联:关联不同扫描工具的发现结果,优先处理关键问题
- 合规映射:将漏洞映射到合规框架(SOC 2、ISO 27001、HIPAA、GDPR)
- 修复指导:为每个发现提供具体、可操作的修复步骤
- 风险评分:基于CVSS、漏洞利用可用性和业务影响计算风险评分
Examples
示例
bash
undefinedbash
undefinedRun comprehensive security scan
Run comprehensive security scan
./scripts/security-scan.sh --target https://app.example.com
./scripts/security-scan.sh --target https://app.example.com
Scan Docker containers
Scan Docker containers
./scripts/security-scan.sh --container myapp:latest
./scripts/security-scan.sh --container myapp:latest
Scan infrastructure as code
Scan infrastructure as code
./scripts/security-scan.sh --iac terraform/
./scripts/security-scan.sh --iac terraform/
Generate compliance report
Generate compliance report
./scripts/security-scan.sh --compliance soc2
./scripts/security-scan.sh --compliance soc2
LLM-powered security analysis
LLM-powered security analysis
./scripts/security-scan.sh --llm-analysis --context "Payment processing system"
undefined./scripts/security-scan.sh --llm-analysis --context "Payment processing system"
undefinedOutput format
输出格式
Security Scan Report
─────────────────────────────────────
Scan Date: 2025-01-15T10:30:00Z
Target: https://app.example.com
Scan Duration: 2m 45s
CRITICAL FINDINGS (3):
────────────────────────
❌ SQL Injection in /api/users endpoint
Risk: Critical (CVSS 9.8)
Detection: OWASP ZAP + LLM analysis
Remediation: Use parameterized queries, implement input validation
Compliance Impact: PCI DSS 6.5.1, OWASP A1
❌ Hard-coded AWS credentials in config file
Risk: Critical (CVSS 8.9)
Detection: TruffleHog + LLM pattern matching
Remediation: Move to AWS Secrets Manager, rotate credentials
Compliance Impact: SOC 2 CC6.1, ISO 27001 A.9.4.1
❌ Unpatched vulnerability in nginx:1.18 (CVE-2021-23017)
Risk: Critical (CVSS 9.1)
Detection: Trivy container scan
Remediation: Upgrade to nginx 1.20+, apply security patches
Compliance Impact: PCI DSS 6.2, ISO 27001 A.12.6.1
HIGH FINDINGS (8):
───────────────────
⚠️ Missing Content Security Policy header
⚠️ Excessive permissions in IAM role (AdminAccess)
⚠️ Outdated OpenSSL library (CVE-2022-2068)
⚠️ Docker container running as root
⚠️ API endpoint without rate limiting
⚠️ Sensitive data in application logs
⚠️ Missing MFA for administrative access
⚠️ Unencrypted S3 bucket
MEDIUM/LOW FINDINGS (14):
──────────────────────────
ℹ️ Security headers missing (X-Frame-Options, X-Content-Type-Options)
ℹ️ Verbose error messages revealing system information
ℹ️ Session timeout too long (24 hours)
ℹ️ Cross-site request forgery (CSRF) protection missing
LLM SECURITY ANALYSIS:
──────────────────────
🔍 Business Logic Vulnerabilities:
• Payment amount manipulation possible in checkout flow
• Privilege escalation via IDOR in admin panel
• Race condition in inventory reservation system
🔍 Architectural Security Issues:
• Monolithic architecture increases attack surface
• Lack of network segmentation between tiers
• Insufficient logging for security events
🔍 Compliance Gaps:
• Missing data retention policy implementation
• Inadequate incident response procedures
• Insufficient employee security training documentation
SUMMARY:
────────
Total Findings: 25
Critical: 3 | High: 8 | Medium: 9 | Low: 5
Risk Score: 78/100 (High Risk)
Compliance Status: 65% compliant with SOC 2
RECOMMENDATIONS:
────────────────
1. IMMEDIATE ACTION: Fix 3 critical vulnerabilities within 24 hours
2. PRIORITY: Address 8 high-risk issues within 7 days
3. IMPROVEMENTS: Implement security controls for medium/low issues
4. ARCHITECTURAL: Consider microservices segmentation, zero-trust network
5. PROCESS: Establish security training program, incident response planSecurity Scan Report
─────────────────────────────────────
Scan Date: 2025-01-15T10:30:00Z
Target: https://app.example.com
Scan Duration: 2m 45s
CRITICAL FINDINGS (3):
────────────────────────
❌ SQL Injection in /api/users endpoint
Risk: Critical (CVSS 9.8)
Detection: OWASP ZAP + LLM analysis
Remediation: Use parameterized queries, implement input validation
Compliance Impact: PCI DSS 6.5.1, OWASP A1
❌ Hard-coded AWS credentials in config file
Risk: Critical (CVSS 8.9)
Detection: TruffleHog + LLM pattern matching
Remediation: Move to AWS Secrets Manager, rotate credentials
Compliance Impact: SOC 2 CC6.1, ISO 27001 A.9.4.1
❌ Unpatched vulnerability in nginx:1.18 (CVE-2021-23017)
Risk: Critical (CVSS 9.1)
Detection: Trivy container scan
Remediation: Upgrade to nginx 1.20+, apply security patches
Compliance Impact: PCI DSS 6.2, ISO 27001 A.12.6.1
HIGH FINDINGS (8):
───────────────────
⚠️ Missing Content Security Policy header
⚠️ Excessive permissions in IAM role (AdminAccess)
⚠️ Outdated OpenSSL library (CVE-2022-2068)
⚠️ Docker container running as root
⚠️ API endpoint without rate limiting
⚠️ Sensitive data in application logs
⚠️ Missing MFA for administrative access
⚠️ Unencrypted S3 bucket
MEDIUM/LOW FINDINGS (14):
──────────────────────────
ℹ️ Security headers missing (X-Frame-Options, X-Content-Type-Options)
ℹ️ Verbose error messages revealing system information
ℹ️ Session timeout too long (24 hours)
ℹ️ Cross-site request forgery (CSRF) protection missing
LLM SECURITY ANALYSIS:
──────────────────────
🔍 Business Logic Vulnerabilities:
• Payment amount manipulation possible in checkout flow
• Privilege escalation via IDOR in admin panel
• Race condition in inventory reservation system
🔍 Architectural Security Issues:
• Monolithic architecture increases attack surface
• Lack of network segmentation between tiers
• Insufficient logging for security events
🔍 Compliance Gaps:
• Missing data retention policy implementation
• Inadequate incident response procedures
• Insufficient employee security training documentation
SUMMARY:
────────
Total Findings: 25
Critical: 3 | High: 8 | Medium: 9 | Low: 5
Risk Score: 78/100 (High Risk)
Compliance Status: 65% compliant with SOC 2
RECOMMENDATIONS:
────────────────
1. IMMEDIATE ACTION: Fix 3 critical vulnerabilities within 24 hours
2. PRIORITY: Address 8 high-risk issues within 7 days
3. IMPROVEMENTS: Implement security controls for medium/low issues
4. ARCHITECTURAL: Consider microservices segmentation, zero-trust network
5. PROCESS: Establish security training program, incident response planNotes
注意事项
- Integrates with existing CI/CD pipelines and security tools
- LLM analysis requires careful validation to avoid false positives
- Different scanning tools may have different licensing requirements
- Some scanners require authentication tokens or API keys
- Always validate findings before taking remediation actions
- Consider running scans during off-peak hours to minimize performance impact
- Regular scanning (daily/weekly) recommended for production systems
- Keep scanning tools updated to detect latest vulnerabilities
- 可与现有CI/CD流水线和安全工具集成
- LLM分析需要仔细验证以避免误报
- 不同扫描工具可能有不同的许可要求
- 部分扫描器需要认证令牌或API密钥
- 在采取修复措施前始终验证发现结果
- 建议在非高峰时段运行扫描以最小化性能影响
- 建议对生产系统进行定期扫描(每日/每周)
- 保持扫描工具更新以检测最新漏洞