Security Scanner Skill
Purpose
This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.
When to Use
-
Starting security assessment of a codebase
-
Pre-commit security checks
-
CI/CD pipeline security validation
-
Dependency vulnerability scanning
-
Secret detection in code
-
Static security analysis
Scanning Workflow
- Secret Detection
Scan for Hardcoded Secrets:
Using grep patterns for common secrets
grep -r -i "password\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "api_key\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "secret\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "token\s*=\s*['"]" src/ --include=".py" --include=".js"
AWS credentials
grep -r "AKIA[0-9A-Z]{16}" src/ grep -r "aws_secret_access_key" src/
Private keys
grep -r "BEGIN.*PRIVATE KEY" src/
Database connection strings
grep -r "postgresql://.:.@" src/ grep -r "mysql://.:.@" src/ grep -r "mongodb://.:.@" src/
Use Dedicated Secret Scanners:
Gitleaks (if available)
gitleaks detect --source . --report-format json --report-path gitleaks-report.json
Trufflehog (if available)
trufflehog filesystem . --json > trufflehog-report.json
Git-secrets (if available)
git secrets --scan
Secrets to Look For:
-
API keys (AWS, Google Cloud, Azure, etc.)
-
Database passwords
-
Authentication tokens
-
Private keys (SSH, TLS, etc.)
-
OAuth secrets
-
Encryption keys
-
Service account credentials
-
Third-party service keys (Stripe, Twilio, etc.)
Deliverable: List of files containing potential secrets with line numbers
- Dependency Vulnerability Scanning
Python Dependencies:
Using pip-audit (recommended)
pip-audit --desc --format json > pip-audit-report.json
Using safety
safety check --json > safety-report.json
Check for outdated packages
pip list --outdated --format json
Node.js Dependencies:
NPM audit
npm audit --json > npm-audit-report.json
Yarn audit
yarn audit --json > yarn-audit-report.json
General Container/Filesystem Scanning:
Trivy (multi-language)
trivy filesystem . --format json --output trivy-report.json
Check specific files
trivy filesystem requirements.txt trivy filesystem package.json
Dependency Checks:
-
Known CVEs in dependencies
-
Outdated packages with security patches
-
Unmaintained packages
-
License compliance issues
-
Transitive dependency vulnerabilities
Deliverable: Vulnerability report with CVE IDs, severity scores, and affected packages
- Insecure Code Pattern Detection
SQL Injection Vulnerabilities:
Python - Look for string concatenation in SQL queries
grep -r "execute.%." src/ --include=".py" grep -r "execute.+." src/ --include=".py" grep -r "cursor.execute.format" src/ --include=".py"
Look for string formatting in SQL
grep -r "SELECT.{" src/ --include=".py" grep -r "INSERT.{" src/ --include=".py" grep -r "UPDATE.{" src/ --include=".py" grep -r "DELETE.{" src/ --include=".py"
Command Injection:
Python - subprocess with shell=True
grep -r "subprocess.shell=True" src/ --include=".py" grep -r "os.system" src/ --include=".py" grep -r "os.popen" src/ --include=".py"
Node.js - child_process exec
grep -r "child_process.exec" src/ --include=".js" grep -r ".exec(" src/ --include="*.js"
Path Traversal:
Unsanitized file paths
grep -r "open(.request." src/ --include=".py" grep -r "os.path.join(.request." src/ --include=".py" grep -r "readFile(.req." src/ --include=".js"
Insecure Deserialization:
Python pickle
grep -r "pickle.loads" src/ --include=".py" grep -r "cPickle.loads" src/ --include=".py"
YAML load (unsafe)
grep -r "yaml.load(" src/ --include="*.py"
Node.js eval
grep -r "eval(" src/ --include="*.js"
Cross-Site Scripting (XSS):
HTML rendering without escaping
grep -r ".innerHTML" src/ --include=".js" --include=".jsx" grep -r "dangerouslySetInnerHTML" src/ --include=".jsx" --include=".tsx"
Python templates without autoescape
grep -r "autoescape=False" src/ --include="*.py"
Weak Cryptography:
MD5, SHA1 usage
grep -r "hashlib.md5" src/ --include=".py" grep -r "hashlib.sha1" src/ --include=".py" grep -r "crypto.createHash('md5')" src/ --include="*.js"
Weak random
grep -r "random.random(" src/ --include=".py" grep -r "Math.random(" src/ --include=".js"
Deliverable: List of insecure code patterns with file locations and severity
- Authentication & Authorization Issues
Missing Authentication:
Python Flask routes without auth decorators
grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"
Express routes without middleware
grep -r "app.get|app.post" src/ --include="*.js" -A 1
Hardcoded Credentials:
Default passwords
grep -r "password.=.['"]admin['"]" src/ grep -r "password.=.['"]password['"]" src/ grep -r "password.=.['"]123456['"]" src/
Default tokens
grep -r "token.=.['"]test['"]" src/
Session Management:
Insecure session configuration
grep -r "SESSION_COOKIE_SECURE.False" src/ --include=".py" grep -r "SESSION_COOKIE_HTTPONLY.False" src/ --include=".py" grep -r "SESSION_COOKIE_SAMESITE.None" src/ --include=".py"
Deliverable: Authentication and authorization gaps with recommendations
- Static Analysis with Automated Tools
Python - Bandit:
Run bandit for Python security issues
bandit -r src/ -f json -o bandit-report.json
With specific tests
bandit -r src/ -f json --severity-level medium
Show only high severity
bandit -r src/ -ll
Multi-language - Semgrep:
Auto-detect and scan
semgrep --config=auto . --json > semgrep-report.json
OWASP Top 10 rules
semgrep --config=p/owasp-top-ten . --json
Security audit
semgrep --config=p/security-audit . --json
Python-specific
semgrep --config=p/python . --json
JavaScript - ESLint Security:
With security plugin
eslint src/ --format json > eslint-report.json
With security-specific rules
eslint src/ --plugin security --format json
Deliverable: Automated tool reports with findings categorized by severity
- Configuration Security
Environment Files:
Check for committed .env files
find . -name ".env" -o -name ".env.*" | grep -v ".env.example"
Check .gitignore
grep -q ".env" .gitignore || echo "WARNING: .env not in .gitignore"
Security Headers:
Check for security header configuration
grep -r "X-Frame-Options" src/ config/ grep -r "Content-Security-Policy" src/ config/ grep -r "X-Content-Type-Options" src/ config/ grep -r "Strict-Transport-Security" src/ config/
CORS Configuration:
Overly permissive CORS
grep -r "Access-Control-Allow-Origin.*" src/ config/ grep -r "cors().origin:.*" src/ --include=".js"
Deliverable: Configuration security issues and recommendations
Scanning Output Format
Create a security scan report:
Security Scan Report
Date: [YYYY-MM-DD] Scan Scope: [path/to/code] Scanner Version: [tool versions]
Summary
- Critical Issues: [count]
- High Issues: [count]
- Medium Issues: [count]
- Low Issues: [count]
- Informational: [count]
Critical Issues
[Issue Title]
File: [path/to/file:line] Category: [Secret/Injection/etc.] Severity: Critical
Description: [What was found]
Evidence:
[code snippet]
Recommendation: [How to fix]
High Issues
[Similar format]
Medium Issues
[Similar format]
Low Issues
[Similar format]
Tool Reports
Dependency Scan (pip-audit)
- Vulnerable packages: [count]
- CVEs found: [list]
Secret Detection (gitleaks)
- Secrets found: [count]
- Types: [API keys, passwords, etc.]
Static Analysis (bandit)
- Issues found: [count]
- Most common: [issue type]
Recommendations
Immediate Actions (Critical/High)
- [Action 1]
- [Action 2]
Short-term (Medium)
- [Action 1]
Long-term (Low)
- [Action 1]
False Positives
[List any false positives to ignore in future scans]
Best Practices
Secret Scanning:
-
Always scan before committing code
-
Check git history for past secrets
-
Use pre-commit hooks for automated scanning
-
Never commit .env files
-
Use secret management tools (Vault, AWS Secrets Manager)
Dependency Scanning:
-
Scan before adding new dependencies
-
Keep dependencies updated
-
Monitor for new vulnerabilities
-
Use lock files (requirements.txt, package-lock.json)
-
Consider dependency pinning
Code Pattern Detection:
-
Focus on user input handling
-
Check all database queries
-
Review file operations
-
Validate all external inputs
-
Sanitize all outputs
Automated Tools:
-
Run multiple tools for better coverage
-
Configure tools with project-specific rules
-
Integrate into CI/CD pipeline
-
Review and triage findings
-
Track false positives
Supporting Scripts
Quick Scan Script (scripts/quick-security-scan.sh ):
#!/bin/bash
Quick security scan
echo "Running security scans..."
Secret detection
echo "1. Scanning for secrets..." gitleaks detect --no-git || echo "Gitleaks not available"
Dependency check
echo "2. Checking dependencies..." if [ -f requirements.txt ]; then pip-audit || echo "pip-audit not available" fi
Static analysis
echo "3. Running static analysis..." if [ -d src ]; then bandit -r src/ -ll || echo "Bandit not available" fi
echo "Scan complete!"
Integration with Security Assessment
Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis
Tools Installation
Python Security Tools:
pip install pip-audit safety bandit
Secret Scanners:
Gitleaks (via binary release)
See: https://github.com/gitleaks/gitleaks/releases
Trufflehog
pip install truffleHog
Multi-language:
Semgrep
pip install semgrep
Trivy (via binary release)
See: https://github.com/aquasecurity/trivy/releases
Scan Frequency
-
Pre-commit: Secret detection
-
Daily: Dependency scanning
-
Weekly: Full static analysis
-
Before PR: Complete security scan
-
Before release: Comprehensive assessment
Remember
-
Automate everything: Use tools, don't scan manually
-
Multiple tools: Each catches different issues
-
Triage findings: Not all findings are exploitable
-
Fix high severity first: Prioritize by risk
-
Track over time: Monitor security trends
-
Update tools: Keep scanners current
-
Document exceptions: Log false positives
Your goal is to identify security issues early and comprehensively through automated scanning.