Vulnerability Patterns
This skill is an index to modular detection pattern skills. Use the specialized skills for focused scanning.
When to Use This Skill
- •Finding the right pattern skill - Use this index to route appropriately
- •Overview of detection capabilities - Quick reference of what's available
When NOT to Use This Skill
- •Actual vulnerability scanning - Use the specialized skills directly
- •Remediation guidance - Use remediation-* skills
- •Full security audits - Use domain auditor agents
Specialized Pattern Skills
vuln-patterns-core
Covers: Universal patterns, configuration files, quick scan scripts Languages: All (cross-language patterns) Use when: Scanning any codebase, config audits, hook integration
Includes:
- •Hardcoded secrets (API keys, AWS keys, private keys)
- •SQL injection (universal patterns)
- •Command injection (universal patterns)
- •Path traversal
- •Configuration file patterns (.env, Docker)
- •Quick scan script
- •Hook integration guidance
vuln-patterns-languages
Covers: Language-specific vulnerability patterns Languages: JavaScript/TypeScript, Python, Go, Java, Ruby, PHP Use when: Targeting specific tech stacks, code review
Includes:
- •JavaScript: eval(), XSS, prototype pollution
- •Python: pickle, yaml.load, weak crypto
- •Go: fmt.Sprintf SQL, InsecureSkipVerify
- •Java: ObjectInputStream, XXE, createStatement
- •Ruby: backticks, Rails SQL, mass assignment
- •PHP: unserialize, include, mysql_query
Quick Routing Guide
| What You're Looking For | Skill to Use |
|---|---|
| Hardcoded secrets | vuln-patterns-core |
| SQL injection (any language) | vuln-patterns-core |
| Command injection (any) | vuln-patterns-core |
| Path traversal | vuln-patterns-core |
| Docker/config issues | vuln-patterns-core |
| JavaScript XSS | vuln-patterns-languages |
| Python pickle/yaml | vuln-patterns-languages |
| Java deserialization | vuln-patterns-languages |
| Go TLS issues | vuln-patterns-languages |
| Ruby Rails patterns | vuln-patterns-languages |
| PHP include/require | vuln-patterns-languages |
Pattern Categories by OWASP
| OWASP 2021 | Skill | Key Patterns |
|---|---|---|
| A01 Access Control | Core + Languages | Path traversal, authorization |
| A02 Crypto Failures | Languages | MD5, SHA1, weak random |
| A03 Injection | Core | SQL, command, XSS |
| A05 Security Misconfig | Core | Debug mode, headers |
| A07 Auth Failures | Core | Hardcoded credentials |
| A08 Data Integrity | Languages | Deserialization |
Integration
For live security hooks, use vuln-patterns-core which includes:
- •Hook integration guidance
- •Pattern matching priorities
- •False positive mitigation strategies
- •Quick scan script for rapid detection
See Also
- •
asvs-requirements- Full ASVS requirement details - •
remediation-library- Index to fix patterns - •
remediation-injection- Injection fixes - •
remediation-crypto- Cryptography fixes