AgentSkillsCN

scan

对代码库进行安全扫描。

SKILL.md
--- frontmatter
name: scan
description: "Run security scans against the codebase."

/scan

Run security scans against the codebase.

Usage

code
/security-scan [target] [--deps] [--code] [--secrets] [--all]

Arguments

  • target: Specific file or directory (default: entire project)
  • --deps: Scan dependencies only
  • --code: Scan code only
  • --secrets: Scan for secrets only
  • --all: Run all scans (default)

Instructions

When this skill is invoked:

Agent Behavior (Codex-Max Pattern)

Autonomy:

  • Complete all security scans end-to-end
  • Categorize findings by severity
  • Provide remediation guidance

Thoroughness:

  • Run all applicable security tools
  • Check against OWASP Top 10
  • Follow .claude/rules/security*.md guidelines

Scan Process

  1. Read prd/00_technology.md for security tools

  2. Review .claude/rules/security*.md for security standards

  3. Run dependency scan:

    bash
    # Tool depends on your stack (see prd/00_technology.md)
    {dependency_scan_command}
    
  4. Run static code analysis:

    bash
    {security_scan_command} src/
    
  5. Run secrets detection:

    bash
    {secrets_scan_command}
    
  6. Categorize findings by severity:

    • Critical: Immediate action required
    • High: Fix before deployment
    • Medium: Address soon
    • Low: Review when possible
    • Info: Best practice suggestions
  7. Generate report

Security Report Format

markdown
## Security Scan Report

**Scan Date:** {date}
**Overall Score:** {score}/100

---

### Summary

| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 1 |
| Medium | 2 |
| Low | 3 |
| Info | 5 |

---

### Dependency Vulnerabilities

#### High Severity

1. **CVE-2024-XXXX** in `package@1.2.3`
   - Impact: Remote code execution
   - Fix: Upgrade to 1.2.4+
   - File: package.json:15

---

### Code Security Issues

#### Medium Severity

1. **SQL Injection Risk** (`src/{project}/db/queries:45`)

Issue: String concatenation in query

query = f"SELECT * FROM users WHERE id = {user_id}"

Fix: Use parameterized query

query = "SELECT * FROM users WHERE id = ?"

code

---

### Secrets Detected

#### High Severity

1. **Potential API Key** (`src/{project}/config:23`)
- Pattern: `API_KEY = "sk-..."`
- Fix: Move to environment variable

---

### Recommendations

1. **Immediate**: Upgrade {package} to fix CVE-XXXX
2. **High Priority**: Move hardcoded secrets to .env
3. **Medium Priority**: Fix SQL injection in queries

OWASP Top 10 Checks

From .claude/rules-available/security-owasp.md:

CategoryCheck
A01 - Broken Access ControlAuth on all protected routes
A02 - Cryptographic FailuresModern algorithms, no hardcoded secrets
A03 - InjectionParameterized queries, input validation
A04 - Insecure DesignSecurity headers, rate limiting
A05 - Security MisconfigurationNo debug in prod, secure defaults
A06 - Vulnerable ComponentsUp-to-date dependencies
A07 - Auth FailuresStrong passwords, MFA, session management
A08 - Integrity FailuresSafe deserialization, signed packages
A09 - Logging FailuresSecurity event logging
A10 - SSRFURL validation, IP filtering

Example Output

code
$ /scan

🔒 Running security scans...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📦 Dependency Scan
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Found 2 vulnerabilities:
  🔴 High: CVE-2024-1234 in requests@2.25.0
  🟡 Medium: CVE-2024-5678 in yaml@5.3.0

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔍 Code Analysis
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Found 1 issue:
  🟡 Medium: Potential SQL injection (src/db/queries:45)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔑 Secrets Detection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ No secrets detected

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Security Score: 78/100
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Recommendations:
1. Upgrade requests to 2.28.0+
2. Upgrade yaml to 6.0.0+
3. Fix SQL injection in src/db/queries:45