Security Auditor
Comprehensive security scanning for codebases. Identifies vulnerabilities before they become incidents. Focuses on actionable findings with remediation guidance.
When to Use
Use for:
- •Pre-deployment security audits
- •Dependency vulnerability scanning
- •Secret/credential leak detection
- •Code-level SAST (Static Application Security Testing)
- •Security posture reports for stakeholders
- •OWASP Top 10 compliance checking
- •Pre-PR security reviews
Do NOT use for:
- •Runtime security (WAF, rate limiting) - use infrastructure tools
- •Network security/firewall rules - use cloud/DevOps skills
- •SOC2/HIPAA/PCI compliance - requires legal/organizational process
- •Penetration testing execution - this is detection, not exploitation
Quick Start
Full Security Audit
# Run comprehensive scan ./scripts/full-audit.sh /path/to/project # Output: security-report.json + summary
Quick Checks
# Dependency vulnerabilities only npm audit --json > deps-audit.json # Secret detection only ./scripts/detect-secrets.sh /path/to/project # OWASP check specific file ./scripts/owasp-check.py /path/to/file.js
Core Scanning Capabilities
1. Dependency Scanning
| Package Manager | Command | Severity Levels |
|---|---|---|
| npm | npm audit --json | critical, high, moderate, low |
| yarn | yarn audit --json | same as npm |
| pip | pip-audit --format json | critical, high, medium, low |
| cargo | cargo audit --json | same |
Decision Tree:
Critical severity found?
├── YES → Block deployment, immediate fix required
│ └── Check if patch available → npm audit fix --force
├── NO → High severity?
├── YES → Fix within sprint, document if deferred
└── NO → Low/Moderate → Track, fix during maintenance
2. Secret Detection
High-Risk Patterns:
- •API keys:
/[A-Za-z0-9_]{20,}/near "key", "api", "secret" - •AWS credentials:
AKIA[0-9A-Z]{16} - •Private keys:
-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY----- - •JWT tokens:
eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+ - •Connection strings:
://[^:]+:[^@]+@
Entropy Analysis:
- •Shannon entropy > 4.5 on strings > 20 chars = suspicious
- •Base64-encoded blobs in source = investigate
False Positive Handling:
Secret-like pattern found? ├── In test file? → Lower severity, document ├── In example/docs? → Check if placeholder ├── High entropy + near "password"/"secret" → High confidence └── In .env.example? → Acceptable if placeholder values
3. OWASP Top 10 Static Analysis
| # | Vulnerability | Detection Pattern |
|---|---|---|
| A01 | Broken Access Control | Missing auth checks on routes |
| A02 | Cryptographic Failures | Weak algorithms (MD5, SHA1 for passwords) |
| A03 | Injection | Unparameterized queries, eval(), innerHTML |
| A04 | Insecure Design | Hardcoded credentials, missing rate limits |
| A05 | Security Misconfiguration | Debug mode in prod, default credentials |
| A06 | Vulnerable Components | Known CVEs in dependencies |
| A07 | Auth Failures | Weak password policies, session issues |
| A08 | Integrity Failures | Unsigned updates, untrusted deserialization |
| A09 | Logging Failures | Sensitive data in logs, missing audit trails |
| A10 | SSRF | Unvalidated URL inputs to fetch/request |
4. Language-Specific Checks
JavaScript/TypeScript:
- •
eval(),new Function()- code injection - •
innerHTML,outerHTML- XSS vectors - •
document.write()- DOM-based XSS - •
child_process.exec()with user input - command injection - •Regex without timeout - ReDoS vulnerability
Python:
- •
pickle.loads()with untrusted data - arbitrary code execution - •
yaml.load()withoutLoader=SafeLoader- code injection - •
subprocess.shell=True- command injection - •
eval(),exec()- code injection - •SQL string concatenation - SQL injection
SQL:
- •String concatenation in queries - SQL injection
- •
LIKE '%' + input + '%'- injection via wildcards - •Missing parameterization - critical vulnerability
Anti-Patterns
Anti-Pattern: Security by Obscurity
What it looks like: "Nobody will find this hardcoded password" Why wrong: Secrets in source always leak eventually Instead: Environment variables, secret managers, zero hardcoded secrets
Anti-Pattern: Audit Fatigue
What it looks like: 500 findings, all "medium", team ignores Why wrong: Critical issues buried in noise Instead: Prioritize by exploitability, start with critical/high only
Anti-Pattern: Fix Without Understanding
What it looks like: npm audit fix --force without review
Why wrong: May introduce breaking changes, doesn't address root cause
Instead: Review each fix, understand the vulnerability, test after
Anti-Pattern: One-Time Audit
What it looks like: "We did a security audit last year" Why wrong: New CVEs daily, code changes constantly Instead: CI/CD integration, weekly automated scans minimum
Security Report Format
{
"summary": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 12,
"informational": 8
},
"findings": [
{
"id": "SEC-001",
"severity": "high",
"category": "A03:Injection",
"title": "SQL Injection in user search",
"location": "src/api/users.js:45",
"description": "User input concatenated directly into SQL query",
"evidence": "const query = `SELECT * FROM users WHERE name = '${input}'`",
"remediation": "Use parameterized queries: db.query('SELECT * FROM users WHERE name = $1', [input])",
"references": ["https://owasp.org/www-community/attacks/SQL_Injection"]
}
],
"recommendations": [
"Implement parameterized queries across all database access",
"Add input validation layer",
"Enable SQL query logging for monitoring"
]
}
CI/CD Integration
GitHub Actions Example
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run security audit
run: |
npm audit --json > audit.json
./scripts/detect-secrets.sh . > secrets.json
./scripts/generate-report.py
- name: Fail on critical
run: |
if jq '.summary.critical > 0' report.json; then
echo "Critical vulnerabilities found!"
exit 1
fi
Scripts (in scripts/ folder)
| Script | Purpose |
|---|---|
full-audit.sh | Comprehensive security scan |
detect-secrets.sh | High-entropy string and pattern detection |
owasp-check.py | OWASP Top 10 static analysis |
generate-report.py | Combine findings into unified report |
Expert vs Novice Approach
| Novice | Expert |
|---|---|
| Runs audit once before release | CI/CD integration, every commit |
| Focuses on tool output only | Understands vulnerability context |
| Fixes everything or nothing | Triages by exploitability |
| Uses one scanner | Layers multiple tools |
| Ignores false positives | Tunes detection rules |
Success Metrics
| Metric | Target |
|---|---|
| Critical/High pre-production | 0 |
| Mean time to remediate critical | < 24 hours |
| False positive rate | < 10% |
| Scan coverage | 100% of deployable code |
Reference Files
- •
references/owasp-top-10-2024.md- Detailed OWASP guidance - •
references/secret-patterns.md- Comprehensive regex patterns - •
references/remediation-playbook.md- Fix guidance by vulnerability type - •
references/ci-cd-templates.md- Integration examples - •
scripts/- Working security scanning scripts
Detects: Dependency CVEs | Secret leaks | Injection vulnerabilities | OWASP violations | Security misconfigurations
Use with: site-reliability-engineer (deployment gates) | code-review (PR security checks)