security-scanning

Security vulnerability detection, secret scanning, and compliance checking for TypeScript and Node.js projects.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-scanning" with this command: npx skills add pwarnock/liaison-toolkit/pwarnock-liaison-toolkit-security-scanning

Security Scanning

Security vulnerability detection, secret scanning, and compliance checking for TypeScript and Node.js projects.

When to use this skill

Use this skill when:

  • Checking for dependency vulnerabilities

  • Scanning for exposed secrets in code or commits

  • Running static code analysis

  • Enforcing security gates before deployment

  • Reviewing code for security issues

  • Auditing package manifests

Dependency Auditing

Bun Audit

Check for vulnerabilities in dependencies

bun audit

Fix vulnerabilities automatically (interactive)

bun audit --fix

Check production dependencies only

bun audit --production

Generate audit report

bun audit --report-format json > audit-report.json

npm Audit (alternative)

Standard audit

npm audit

Fix vulnerabilities automatically

npm audit fix

Audit specific severity levels

npm audit --audit-level moderate npm audit --audit-level high

Snyk Integration

Install Snyk CLI

bun install -g snyk

Scan dependencies

snyk test

Scan with all vulnerabilities shown

snyk test --severity-threshold=low

Generate SARIF report

snyk test --sarif-file security-results.sarif

Dependency Allowlists

// .npmrc or .yarnrc { "auditConfig": { "allowlist": [ "package@1.0.0", "another-package@2.x.x" ] } }

Secret Detection

Git Pre-commit Hooks

.git/hooks/pre-commit

#!/bin/bash

Scan for secrets before committing

SECRETS=$(git diff --cached --name-only | xargs grep -lE 'password|secret|key|token')

if [ -n "$SECRETS" ]; then echo "Error: Potential secrets found in staged files:" echo "$SECRETS" exit 1 fi

Gitleaks Integration

Install gitleaks

bun install -g gitleaks

Scan repository

gitleaks detect --source HEAD

Scan with config

gitleaks detect --config .gitleaks.toml

Prevent leaks in commits

gitleaks protect

Secret Patterns

// Common secret patterns to detect const SECRET_PATTERNS = [ /password\s*=\s*['"][^'"]+['"]/i, /api[-]?key\s*=\s*['"][^'"]+['"]/i, /secret[-]?key\s*=\s*['"][^'"]+['"]/i, /token\s*=\s*['"][^'"]+['"]/i, /bearer\s+[\s:]+['"][a-z0-9]{20,}/i, /aws[-]access[-]key[-]id\s*=\s*['"][a-z0-9]{20,}/i, /private[-]key\s*=\s*-----BEGIN\s+(RSA|EC|OPENSSH)/i, ];

// Scan files function scanForSecrets(content: string): string[] { const secrets: string[] = []; for (const pattern of SECRET_PATTERNS) { const matches = content.match(pattern); if (matches) secrets.push(...matches); } return secrets; }

Static Code Analysis

TypeScript Strict Mode

// tsconfig.json { "compilerOptions": { "strict": true, "noUnusedLocals": true, "noUnusedParameters": true, "noImplicitReturns": true, "noFallthroughCasesInSwitch": true } }

ESLint Security Rules

// .eslintrc.js module.exports = { rules: { 'no-eval': 'error', 'no-implied-eval': 'error', 'no-new-func': 'error', 'no-script-url': 'error', 'security/detect-object-injection': 'error', 'security/detect-non-literal-regexp': 'error', 'security/detect-possible-timing-attacks': 'error' } };

Security Linting Tools

ESLint with security plugin

bun eslint src --plugin security

Bandit for Python (if applicable)

bandit -r src/

Semgrep for custom security rules

semgrep --config security.yaml src/

Vulnerability Management

CVSS Scoring

CVSS Base Score: 0.0 - 3.9: LOW 4.0 - 6.9: MEDIUM 7.0 - 10.0: HIGH 10.1 - 10.0: CRITICAL

Fixing Vulnerabilities

Review vulnerability report

bun audit --json | jq '.vulnerabilities[] | select(.severity == "high")'

Update vulnerable package

bun update package-name

Update all vulnerable packages

bun update

Install specific patched version

bun install package-name@patched-version

Security Gates

CI Security Check

.github/workflows/security.yml

name: Security Scan

on: [push, pull_request]

jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run security audit run: | bun audit --json > audit-results.json - name: Check for vulnerabilities run: | HIGH_VULNS=$(jq '.vulnerabilities | length | select(.severity == "high") | length' audit-results.json) if [ "$HIGH_VULNS" -gt 0 ]; then echo "Found $HIGH_VULNS high severity vulnerabilities" exit 1 fi - name: Upload results uses: actions/upload-artifact@v4 with: name: audit-results path: audit-results.json

Pre-deployment Checklist

Security checks before deployment

bun run security-check

Should verify:

- No high/critical vulnerabilities

- No secrets in code

- All security linting passes

- Dependencies are up to date

- No deprecated packages used

Compliance Standards

OWASP Top 10

Issue Prevention

Injection Use prepared statements, parameterized queries

Broken Authentication Implement proper auth mechanisms

Sensitive Data Exposure Encrypt data at rest

XML External Entities Use safe XML parsers

Broken Access Control Implement RBAC

Security Misconfiguration Follow security best practices

XSS Sanitize user input, escape output

Insecure Deserialization Use safe deserialization

Using Components with Known Vulnerabilities Keep dependencies updated

Insufficient Logging Log security events

Security Headers

// Set security headers import { NextResponse } from 'next/server';

export function GET(request: Request) { return NextResponse.json(data, { headers: { 'Content-Security-Policy': "default-src 'self'", 'X-Frame-Options': 'DENY', 'X-Content-Type-Options': 'nosniff', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-XSS-Protection': '1; mode=block' } }); }

Verification

After implementing security checks:

  • Dependency audit runs on every build

  • Secret detection in pre-commit hooks

  • Security gate blocks vulnerable deployments

  • High/critical vulnerabilities addressed promptly

  • Static analysis findings are reviewed

  • Security headers configured

  • No secrets in repository history

  • Security documentation is maintained

Examples from liaison-toolkit

Example 1: Security Audit in CI

.github/workflows/security.yml

  • name: Audit dependencies run: | bun audit --json > results.json

  • name: Check for critical vulnerabilities run: | CRITICAL=$(jq '.vulnerabilities | map(select(.severity == "critical")) | length' results.json) if [ "$CRITICAL" -gt 0 ]; then echo "CRITICAL vulnerabilities found!" exit 1 fi

Example 2: Pre-commit Secret Scan

.githooks/pre-commit

#!/usr/bin/env bun

import { execSync } from 'child_process';

const FILES = execSync('git diff --cached --name-only', { encoding: 'utf-8' }); const SECRET_PATTERNS = ['password', 'secret', 'api_key', 'token', 'private_key'];

for (const file of FILES.split('\n')) { if (!file.trim()) continue;

const content = execSync(git show :${file}, { encoding: 'utf-8' });

for (const pattern of SECRET_PATTERNS) { if (content.toLowerCase().includes(pattern)) { console.error(Error: Potential secret found in ${file}); process.exit(1); } } }

Related Resources

  • OWASP Top 10

  • CWE/SANS Top 25

  • NVD Vulnerability Database

  • Snyk Vulnerability Database

  • Gitleaks

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

bun-development

No summary provided by upstream source.

Repository SourceNeeds Review
-5
pwarnock
Automation

subagent-coordination

No summary provided by upstream source.

Repository SourceNeeds Review
-4
pwarnock
Automation

git-automation

No summary provided by upstream source.

Repository SourceNeeds Review
-3
pwarnock