Security Scan Local
Runs the same security scans locally that execute in CI/CD, allowing developers to catch security issues before pushing code. This skill orchestrates three industry-standard security tools:
- •Semgrep: Static code analysis for security vulnerabilities and OWASP Top 10
- •Trivy: Dependency vulnerability scanning and IaC misconfiguration detection
- •Gitleaks: Secret detection in code and git history
Available Scripts
check.py
Checks if required security tools are installed and provides installation instructions.
python3 check.py
When to use: Before running scans for the first time, or to verify tool installation.
run.py
Runs all three security scans with the same configuration as CI/CD.
python3 run.py # Run all scans python3 run.py --tool semgrep # Run specific tool python3 run.py --tool trivy # Run Trivy only python3 run.py --tool gitleaks # Run Gitleaks only python3 run.py --fast # Skip Trivy IaC scan for speed
Exit codes:
- •
0: All scans passed (no issues found) - •
1: Security issues found (matches CI behavior) - •
2: Tool not installed or error
When to use: Before committing/pushing code to catch security issues early.
semgrep.py
Runs Semgrep code security analysis with OWASP Top 10 and language-specific rulesets.
python3 semgrep.py # Standard scan python3 semgrep.py --path ./src # Scan specific directory python3 semgrep.py --all # Include all severity levels
Scans for:
- •SQL injection, XSS, command injection
- •Insecure deserialization
- •Authentication/authorization flaws
- •Language-specific vulnerabilities (Rust, Python, TypeScript)
When to use: Quick code security check, or when working on authentication/data handling code.
trivy.py
Runs Trivy dependency and infrastructure-as-code scanning.
python3 trivy.py # Scan dependencies + IaC python3 trivy.py --deps-only # Dependencies only (faster) python3 trivy.py --iac-only # IaC only python3 trivy.py --path ./service # Scan specific path
Scans for:
- •Vulnerable dependencies (npm, pip, cargo packages)
- •Terraform misconfigurations
- •Kubernetes security issues
- •Dockerfile best practice violations
When to use: After updating dependencies, or when modifying infrastructure code.
gitleaks.py
Runs Gitleaks secret detection across code and git history.
python3 gitleaks.py # Full scan including history python3 gitleaks.py --staged # Staged files only (pre-commit) python3 gitleaks.py --uncommitted # Uncommitted changes only
Detects:
- •API keys, tokens, passwords
- •AWS credentials, private keys
- •Database connection strings
- •Any hardcoded secrets
When to use: Before committing, especially when working with credentials or environment files.
Workflow Examples
User says: "Run security scans"
python3 run.py
Runs all three tools with CI/CD configuration.
User says: "Check for secrets before committing"
python3 gitleaks.py --staged
Scans only staged files for secrets (fast pre-commit check).
User says: "Scan this service for vulnerabilities"
python3 trivy.py --path ./mercury-clustering
Scans a specific service directory.
User says: "Quick code security check"
python3 semgrep.py
Runs static analysis on all code.
User says: "Are the security tools installed?"
python3 check.py
Verifies tool installation and shows how to install missing tools.
Installation
The scripts will detect missing tools and provide installation commands. On macOS:
brew install semgrep trivy gitleaks
On other platforms, see tool-specific installation guides.
Notes
- •Matches CI/CD: Uses identical configuration to GitHub Actions workflows
- •Severity levels: Blocks on CRITICAL, HIGH, and MEDIUM (same as CI)
- •Test exclusions: Respects
.semgrepignore,.gitleaksignore,.trivyignore - •Performance: Full scan takes 5-6 minutes (same as CI); use
--fastor tool-specific flags for quicker checks - •SARIF output: Scripts can generate SARIF format for IDE integration (use
--sarifflag)