AgentSkillsCN

security

A2A 项目中的安全扫描模式。涵盖 Trivy、TruffleHog、Bandit、pip-audit 以及 Semgrep。可通过“安全”、“漏洞”、“CVE”、“密钥”、“Bandit”、“Trivy”、“依赖项扫描”、“安全检查”等短语触发。主动出击:在提交包含新依赖项的代码前务必调用。

SKILL.md
--- frontmatter
name: security
description: >-
  Security scanning patterns for A2A project. Covers Trivy, TruffleHog, Bandit,
  pip-audit, and Semgrep. Triggers on "security", "vulnerability", "cve",
  "secrets", "bandit", "trivy", "dependency scan", "security check".
  PROACTIVE: Invoke before committing code with new dependencies.
allowed-tools: Read, Write, Edit, Bash, Glob, Grep

Security Skill

Quick Reference

ScannerPurposeWhat it Finds
TrivyVulnerability scannerCVEs in deps, misconfigs
TruffleHogSecrets scannerAPI keys, passwords, tokens
BanditPython code securitySQL injection, exec(), etc.
pip-auditDependency vulnerabilitiesKnown CVEs in packages
SemgrepStatic analysisSecurity anti-patterns

GitHub Actions Pipeline

yaml
# Runs on every push/PR to main
.github/workflows/security.yml

Jobs:
├── trivy          # Filesystem vulnerability scan
├── trufflehog     # Secrets in git history
├── python-security
│   ├── bandit     # Code security linter
│   ├── pip-audit  # Dependency CVEs
│   ├── safety     # Dependency check
│   └── semgrep    # Static analysis
└── security-summary

Local Security Checks

Install Tools

bash
# All security tools
pip install bandit safety pip-audit semgrep

# Trivy (macOS)
brew install trivy

# TruffleHog
brew install trufflehog

Run Before Commit

bash
# Quick security check
bandit -r . -x ./tests -ll

# Full scan
bandit -r . -x ./tests -f txt

# Dependency check
pip-audit

# Secrets scan
trufflehog filesystem . --only-verified

# Trivy scan
trivy fs --severity HIGH,CRITICAL .

Trivy Usage

Filesystem Scan (Dependencies)

bash
# Basic scan
trivy fs .

# Strict (fail on HIGH/CRITICAL)
trivy fs --severity CRITICAL,HIGH --exit-code 1 .

# Ignore unfixed
trivy fs --severity CRITICAL,HIGH --ignore-unfixed .

# JSON output
trivy fs --format json --output trivy-report.json .

Severity Policy

SeverityActionBlock CI
CRITICALFix immediatelyYES
HIGHFix or documentYES
MEDIUMPlan remediationNO
LOWTrackNO

Bandit (Python Code Security)

Common Issues Detected

IssueCodeRisk
B101assert in productionMedium
B102exec() usageHigh
B103set_bad_permissionsMedium
B104Hardcoded bind to 0.0.0.0Medium
B105Hardcoded passwordHigh
B106Hardcoded password in func argHigh
B107Hardcoded password in defaultHigh
B108Hardcoded temp fileMedium
B110try/except/passLow
B303Insecure hash (MD5/SHA1)Medium
B311random for cryptoHigh
B324Insecure hash functionHigh

Configuration

ini
# .bandit (or pyproject.toml)
[bandit]
exclude = tests,venv,.venv
skips = B101  # Skip specific checks if justified

Fix Examples

python
# BAD: Hardcoded secret
API_KEY = "sk-1234567890"

# GOOD: Environment variable
API_KEY = os.environ.get("API_KEY")

# BAD: exec usage
exec(user_input)

# GOOD: Safe alternative
# Avoid exec entirely, use specific parsers

# BAD: MD5 for security
import hashlib
hashlib.md5(password)

# GOOD: Use proper hashing
from passlib.hash import bcrypt
bcrypt.hash(password)

TruffleHog (Secrets)

What it Detects

  • AWS keys
  • GCP credentials
  • GitHub tokens
  • API keys
  • Passwords in code
  • Private keys
  • JWT secrets

Local Scan

bash
# Current directory
trufflehog filesystem .

# Only verified secrets (less noise)
trufflehog filesystem . --only-verified

# Git history
trufflehog git file://. --only-verified

# Since specific commit
trufflehog git file://. --since-commit=abc123

Prevention

bash
# Add to .gitignore
.env
.env.local
*.pem
*.key
credentials.json

pip-audit (Dependencies)

Usage

bash
# Basic scan
pip-audit

# Strict mode (fail on any vuln)
pip-audit --strict

# From requirements file
pip-audit -r requirements.txt

# JSON output
pip-audit --format json --output report.json

# Markdown output
pip-audit --format markdown

Fixing Vulnerabilities

bash
# Check which version fixes
pip-audit --fix --dry-run

# Auto-fix (updates requirements.txt)
pip-audit --fix

Semgrep (Static Analysis)

Usage

bash
# Auto-detect language and rules
semgrep --config=auto .

# Python-specific rules
semgrep --config=p/python .

# Security rules only
semgrep --config=p/security-audit .

# OWASP rules
semgrep --config=p/owasp-top-ten .

Common Findings

PatternRiskFix
SQL injectionHighUse parameterized queries
Command injectionHighAvoid shell=True
SSRFHighValidate URLs
Path traversalHighSanitize paths
XSSMediumEscape output

Pre-commit Hook

yaml
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.7
    hooks:
      - id: bandit
        args: ["-ll", "-x", "tests"]

  - repo: https://github.com/pyupio/safety
    rev: 2.3.5
    hooks:
      - id: safety
        args: ["check", "--full-report"]

Checklist

Before committing with new dependencies:

  • pip-audit passes
  • bandit -ll passes
  • No secrets in code (trufflehog)
  • trivy fs --severity HIGH,CRITICAL clean
  • Security workflow passes in CI