Vulnerability Scanning
Purpose
Automate the detection of known vulnerabilities in dependencies and code using security scanning tools, triage findings, and prioritize remediation based on risk and exploitability.
When to Use
- •Before deploying to production
- •During CI/CD pipeline execution
- •Regular security audits (weekly/monthly)
- •After updating dependencies
- •Investigating security alerts
Key Capabilities
- •Dependency Scanning - Identify vulnerable packages and libraries
- •SAST/DAST Execution - Run static and dynamic analysis tools
- •Issue Triage - Categorize and prioritize security findings
Approach
- •
Select Appropriate Tools
- •Dependency scanners: npm audit, pip-audit, Snyk, OWASP Dependency-Check
- •SAST (Static): Bandit (Python), ESLint security, Semgrep, SonarQube
- •DAST (Dynamic): OWASP ZAP, Burp Suite
- •Secret detection: GitGuardian, TruffleHog
- •
Run Scans
- •Execute during CI/CD pipeline
- •Scan both application code and dependencies
- •Include container image scanning if applicable
- •Check for exposed secrets
- •
Parse and Triage Results
- •Critical: Remote code execution, authentication bypass
- •High: SQL injection, XSS, sensitive data exposure
- •Medium: Information disclosure, denial of service
- •Low: Security misconfigurations, minor issues
- •
Assess Exploitability
- •Is vulnerable code actually used in the application?
- •Is the attack vector applicable to your architecture?
- •Are there compensating controls?
- •What's the CVSS score?
- •
Prioritize Remediation
- •Fix critical vulnerabilities immediately
- •Plan high-priority fixes in current sprint
- •Schedule medium-priority fixes in backlog
- •Accept or document low-priority findings
Example
Context: Scanning a Node.js application
Dependency Scan:
bash
# Run npm audit npm audit --json > audit-results.json # Run Snyk scan snyk test --json > snyk-results.json
Sample Results:
json
{
"vulnerabilities": {
"express": {
"severity": "high",
"via": ["qs"],
"cve": "CVE-2022-24999",
"description": "express accepts malformed URLs, leading to DoS",
"fixAvailable": {
"version": "4.18.2"
}
},
"jsonwebtoken": {
"severity": "critical",
"cve": "CVE-2022-23529",
"description": "JWT signature verification bypass",
"fixAvailable": {
"version": "9.0.0"
}
},
"lodash": {
"severity": "medium",
"cve": "CVE-2021-23337",
"description": "Prototype pollution",
"fixAvailable": {
"version": "4.17.21"
}
}
}
}
SAST Scan (Semgrep):
bash
# Run Semgrep with security rules semgrep --config=auto --json src/ > semgrep-results.json
Sample SAST Findings:
code
Finding 1: SQL Injection Risk
File: src/api/users.js:45
Code: db.query(`SELECT * FROM users WHERE id=${userId}`)
Severity: Critical
CWE: CWE-89
Finding 2: Hardcoded Secret
File: src/config/database.js:12
Code: const password = "P@ssw0rd123";
Severity: Critical
CWE: CWE-798
Finding 3: Missing Input Validation
File: src/api/uploads.js:28
Code: fs.writeFileSync(req.body.filename, data)
Severity: High
CWE: CWE-22 (Path Traversal)
Triage Analysis:
| Finding | Severity | Exploitable? | Priority | Action |
|---|---|---|---|---|
| JWT bypass (CVE-2022-23529) | Critical | Yes | P0 | Update to 9.0.0 immediately |
| Hardcoded password | Critical | Yes | P0 | Move to env var, rotate credentials |
| SQL injection in users.js | Critical | Yes | P0 | Use parameterized queries |
| Path traversal in uploads | High | Yes | P1 | Validate and sanitize filenames |
| Express DoS (CVE-2022-24999) | High | Partial | P2 | Update to 4.18.2, have rate limiting |
| Lodash prototype pollution | Medium | No | P3 | Not exploitable in our usage, update when convenient |
Remediation Report:
markdown
# Security Scan Report - 2025-01-10 ## Critical Issues (Fix Immediately) 1. **JWT Signature Bypass (CVE-2022-23529)** - Package: jsonwebtoken@8.5.1 - Fix: Upgrade to 9.0.0 - Command: `npm install jsonwebtoken@9.0.0` - Status: ⏳ In Progress 2. **Hardcoded Database Password** - File: src/config/database.js:12 - Fix: Move to environment variable - Action: Create .env.example, update code - Status: ⏳ In Progress 3. **SQL Injection - User Lookup** - File: src/api/users.js:45 - Fix: Use parameterized queries - Action: Replace string concatenation with prepared statement - Status: ⏳ In Progress ## High Priority (Fix This Sprint) 4. **Path Traversal - File Upload** - File: src/api/uploads.js:28 - Fix: Validate filename, use path.basename() - Status: 📋 Planned 5. **Express DoS Vulnerability** - Package: express@4.17.1 - Fix: Update to 4.18.2 - Status: 📋 Planned ## Medium Priority (Backlog) 6. **Lodash Prototype Pollution** - Package: lodash@4.17.20 - Fix: Update to 4.17.21 - Risk: Low (not exploitable in our usage) - Status: 📝 Documented ## Summary - Total findings: 6 - Critical: 3 (all actionable) - High: 2 (all actionable) - Medium: 1 (accepted risk)
Expected Result:
- •All vulnerabilities identified and categorized
- •Exploitability assessed for each finding
- •Clear remediation plan with priorities
- •Tracking status for each issue
Best Practices
- •✅ Run scans in CI/CD pipeline on every commit
- •✅ Fail builds for critical vulnerabilities
- •✅ Scan both dependencies and application code
- •✅ Keep scanner tools updated
- •✅ Assess false positives (not all findings are exploitable)
- •✅ Document accepted risks with justification
- •✅ Track remediation progress
- •✅ Set up alerts for new CVEs in your dependencies
- •✅ Scan container images if using Docker
- •✅ Include license compliance checks
- •❌ Avoid: Ignoring low-severity findings (they can become critical)
- •❌ Avoid: Scanning only on release (scan continuously)
- •❌ Avoid: Updating dependencies blindly without testing
- •❌ Avoid: Dismissing findings without investigation