Security Scanning
Comprehensive security analysis skill for detecting vulnerabilities, secrets, and security anti-patterns in codebases.
Core Capabilities
Secrets Detection
Scan for accidentally committed secrets and credentials:
Patterns to detect:
-
API keys (AWS, GCP, Azure, Stripe, etc.)
-
Private keys (RSA, SSH, PGP)
-
Passwords and tokens in code
-
Database connection strings with credentials
-
JWT secrets and signing keys
-
OAuth client secrets
Common file locations:
-
.env files committed to repo
-
Configuration files (config.py, settings.json)
-
Test fixtures with real credentials
-
Documentation with example credentials
-
CI/CD configuration files
Search patterns:
API Keys
grep -rE "(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{20,}"
AWS Keys
grep -rE "AKIA[0-9A-Z]{16}"
Private Keys
grep -rE "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----"
Generic Secrets
grep -rE "(password|secret|token)\s*[:=]\s*['"][^'"]{8,}"
OWASP Vulnerability Detection
Identify common web application vulnerabilities:
SQL Injection:
-
String concatenation in SQL queries
-
Unparameterized queries
-
Dynamic table/column names from user input
Cross-Site Scripting (XSS):
-
Unescaped user input in HTML output
-
innerHTML assignments with user data
-
Template rendering without auto-escaping
Command Injection:
-
Shell command construction with user input
-
subprocess/os.system calls with variables
-
eval() with external data
Path Traversal:
-
File operations with user-controlled paths
-
Missing path sanitization
-
Symlink following vulnerabilities
Insecure Deserialization:
-
pickle.loads with untrusted data
-
yaml.load without safe_load
-
JSON parsing of user input into code execution
Dependency Auditing
Check for known vulnerabilities in dependencies:
Python:
Using pip-audit
pip-audit -r requirements.txt
Using safety
safety check -r requirements.txt
Check outdated packages
pip list --outdated
JavaScript/Node:
npm audit yarn audit
General approach:
-
Parse dependency files (requirements.txt, package.json, go.mod)
-
Check versions against known CVE databases
-
Report severity and remediation guidance
Security Anti-Patterns
Detect insecure coding patterns:
Weak Cryptography:
-
MD5/SHA1 for password hashing
-
ECB mode encryption
-
Hardcoded encryption keys
-
Weak random number generation
Authentication Issues:
-
Hardcoded credentials
-
Missing authentication checks
-
Weak password policies
-
Session fixation vulnerabilities
Authorization Flaws:
-
Missing access control checks
-
IDOR (Insecure Direct Object References)
-
Privilege escalation paths
Data Exposure:
-
Sensitive data in logs
-
Unencrypted sensitive storage
-
Debug information in production
Scanning Workflow
Full Security Scan
To perform a comprehensive security scan:
-
Secrets scan: Search for hardcoded credentials
-
Dependency audit: Check for known CVEs
-
Code analysis: Identify vulnerability patterns
-
Configuration review: Check security settings
Quick Security Check
For rapid assessment of recent changes:
-
Identify modified files from git diff
-
Scan only changed files for secrets
-
Check new dependencies added
-
Review security-sensitive code paths
Output Format
Present findings with severity levels:
Critical: Immediate exploitation risk
-
Hardcoded production credentials
-
Known exploitable CVEs
-
Authentication bypass
High: Significant security risk
-
SQL injection vulnerabilities
-
XSS in user-facing pages
-
Weak cryptographic usage
Medium: Potential security concern
-
Missing input validation
-
Outdated dependencies (no known CVE)
-
Insecure defaults
Low: Best practice violations
-
Verbose error messages
-
Missing security headers
-
Suboptimal configurations
Language-Specific Patterns
Python
SQL Injection - BAD
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
SQL Injection - GOOD
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
Command Injection - BAD
os.system(f"ls {user_input}")
Command Injection - GOOD
subprocess.run(["ls", user_input], shell=False)
Insecure Deserialization - BAD
data = pickle.loads(user_data)
Secure Alternative
data = json.loads(user_data)
JavaScript
// XSS - BAD element.innerHTML = userInput;
// XSS - GOOD element.textContent = userInput;
// SQL Injection - BAD
db.query(SELECT * FROM users WHERE id = ${userId});
// SQL Injection - GOOD db.query('SELECT * FROM users WHERE id = ?', [userId]);
Integration with Other Tools
When security issues are found, coordinate with:
-
code-quality skill: For fixing identified issues
-
git-workflows skill: For secure commit practices
-
documentation skill: For security documentation
Remediation Guidance
For each finding, provide:
-
Description: What the vulnerability is
-
Location: File path and line number
-
Risk: Potential impact if exploited
-
Fix: Specific remediation steps
-
Prevention: How to avoid in future
Additional Resources
Reference Files
For detailed vulnerability patterns:
-
Consult OWASP Top 10 documentation
-
Check CWE (Common Weakness Enumeration) database
-
Review language-specific security guides