AgentSkillsCN

Vulnerability Scanning

借助自动化工具扫描依赖项与代码,快速分类安全问题并优先安排修复工作。

SKILL.md
--- frontmatter
name: "Vulnerability Scanning"
description: "Scan dependencies and code for known vulnerabilities using automated tools, triage security issues, and prioritize remediation"
category: "security"
required_tools: ["Bash", "Read", "Grep", "WebSearch"]

Vulnerability Scanning

Purpose

Automate the detection of known vulnerabilities in dependencies and code using security scanning tools, triage findings, and prioritize remediation based on risk and exploitability.

When to Use

  • Before deploying to production
  • During CI/CD pipeline execution
  • Regular security audits (weekly/monthly)
  • After updating dependencies
  • Investigating security alerts

Key Capabilities

  1. Dependency Scanning - Identify vulnerable packages and libraries
  2. SAST/DAST Execution - Run static and dynamic analysis tools
  3. Issue Triage - Categorize and prioritize security findings

Approach

  1. Select Appropriate Tools

    • Dependency scanners: npm audit, pip-audit, Snyk, OWASP Dependency-Check
    • SAST (Static): Bandit (Python), ESLint security, Semgrep, SonarQube
    • DAST (Dynamic): OWASP ZAP, Burp Suite
    • Secret detection: GitGuardian, TruffleHog
  2. Run Scans

    • Execute during CI/CD pipeline
    • Scan both application code and dependencies
    • Include container image scanning if applicable
    • Check for exposed secrets
  3. Parse and Triage Results

    • Critical: Remote code execution, authentication bypass
    • High: SQL injection, XSS, sensitive data exposure
    • Medium: Information disclosure, denial of service
    • Low: Security misconfigurations, minor issues
  4. Assess Exploitability

    • Is vulnerable code actually used in the application?
    • Is the attack vector applicable to your architecture?
    • Are there compensating controls?
    • What's the CVSS score?
  5. Prioritize Remediation

    • Fix critical vulnerabilities immediately
    • Plan high-priority fixes in current sprint
    • Schedule medium-priority fixes in backlog
    • Accept or document low-priority findings

Example

Context: Scanning a Node.js application

Dependency Scan:

bash
# Run npm audit
npm audit --json > audit-results.json

# Run Snyk scan
snyk test --json > snyk-results.json

Sample Results:

json
{
  "vulnerabilities": {
    "express": {
      "severity": "high",
      "via": ["qs"],
      "cve": "CVE-2022-24999",
      "description": "express accepts malformed URLs, leading to DoS",
      "fixAvailable": {
        "version": "4.18.2"
      }
    },
    "jsonwebtoken": {
      "severity": "critical",
      "cve": "CVE-2022-23529",
      "description": "JWT signature verification bypass",
      "fixAvailable": {
        "version": "9.0.0"
      }
    },
    "lodash": {
      "severity": "medium",
      "cve": "CVE-2021-23337",
      "description": "Prototype pollution",
      "fixAvailable": {
        "version": "4.17.21"
      }
    }
  }
}

SAST Scan (Semgrep):

bash
# Run Semgrep with security rules
semgrep --config=auto --json src/ > semgrep-results.json

Sample SAST Findings:

code
Finding 1: SQL Injection Risk
File: src/api/users.js:45
Code: db.query(`SELECT * FROM users WHERE id=${userId}`)
Severity: Critical
CWE: CWE-89

Finding 2: Hardcoded Secret
File: src/config/database.js:12
Code: const password = "P@ssw0rd123";
Severity: Critical
CWE: CWE-798

Finding 3: Missing Input Validation
File: src/api/uploads.js:28
Code: fs.writeFileSync(req.body.filename, data)
Severity: High
CWE: CWE-22 (Path Traversal)

Triage Analysis:

FindingSeverityExploitable?PriorityAction
JWT bypass (CVE-2022-23529)CriticalYesP0Update to 9.0.0 immediately
Hardcoded passwordCriticalYesP0Move to env var, rotate credentials
SQL injection in users.jsCriticalYesP0Use parameterized queries
Path traversal in uploadsHighYesP1Validate and sanitize filenames
Express DoS (CVE-2022-24999)HighPartialP2Update to 4.18.2, have rate limiting
Lodash prototype pollutionMediumNoP3Not exploitable in our usage, update when convenient

Remediation Report:

markdown
# Security Scan Report - 2025-01-10

## Critical Issues (Fix Immediately)
1. **JWT Signature Bypass (CVE-2022-23529)**
   - Package: jsonwebtoken@8.5.1
   - Fix: Upgrade to 9.0.0
   - Command: `npm install jsonwebtoken@9.0.0`
   - Status: ⏳ In Progress

2. **Hardcoded Database Password**
   - File: src/config/database.js:12
   - Fix: Move to environment variable
   - Action: Create .env.example, update code
   - Status: ⏳ In Progress

3. **SQL Injection - User Lookup**
   - File: src/api/users.js:45
   - Fix: Use parameterized queries
   - Action: Replace string concatenation with prepared statement
   - Status: ⏳ In Progress

## High Priority (Fix This Sprint)
4. **Path Traversal - File Upload**
   - File: src/api/uploads.js:28
   - Fix: Validate filename, use path.basename()
   - Status: 📋 Planned

5. **Express DoS Vulnerability**
   - Package: express@4.17.1
   - Fix: Update to 4.18.2
   - Status: 📋 Planned

## Medium Priority (Backlog)
6. **Lodash Prototype Pollution**
   - Package: lodash@4.17.20
   - Fix: Update to 4.17.21
   - Risk: Low (not exploitable in our usage)
   - Status: 📝 Documented

## Summary
- Total findings: 6
- Critical: 3 (all actionable)
- High: 2 (all actionable)
- Medium: 1 (accepted risk)

Expected Result:

  • All vulnerabilities identified and categorized
  • Exploitability assessed for each finding
  • Clear remediation plan with priorities
  • Tracking status for each issue

Best Practices

  • ✅ Run scans in CI/CD pipeline on every commit
  • ✅ Fail builds for critical vulnerabilities
  • ✅ Scan both dependencies and application code
  • ✅ Keep scanner tools updated
  • ✅ Assess false positives (not all findings are exploitable)
  • ✅ Document accepted risks with justification
  • ✅ Track remediation progress
  • ✅ Set up alerts for new CVEs in your dependencies
  • ✅ Scan container images if using Docker
  • ✅ Include license compliance checks
  • ❌ Avoid: Ignoring low-severity findings (they can become critical)
  • ❌ Avoid: Scanning only on release (scan continuously)
  • ❌ Avoid: Updating dependencies blindly without testing
  • ❌ Avoid: Dismissing findings without investigation