Security Scanner Skill
Purpose
This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.
When to Use
- •Starting security assessment of a codebase
- •Pre-commit security checks
- •CI/CD pipeline security validation
- •Dependency vulnerability scanning
- •Secret detection in code
- •Static security analysis
Scanning Workflow
1. Secret Detection
Scan for Hardcoded Secrets:
# Using grep patterns for common secrets
grep -r -i "password\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "api_key\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "secret\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "token\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
# AWS credentials
grep -r "AKIA[0-9A-Z]{16}" src/
grep -r "aws_secret_access_key" src/
# Private keys
grep -r "BEGIN.*PRIVATE KEY" src/
# Database connection strings
grep -r "postgresql://.*:.*@" src/
grep -r "mysql://.*:.*@" src/
grep -r "mongodb://.*:.*@" src/
Use Dedicated Secret Scanners:
# Gitleaks (if available) gitleaks detect --source . --report-format json --report-path gitleaks-report.json # Trufflehog (if available) trufflehog filesystem . --json > trufflehog-report.json # Git-secrets (if available) git secrets --scan
Secrets to Look For:
- •API keys (AWS, Google Cloud, Azure, etc.)
- •Database passwords
- •Authentication tokens
- •Private keys (SSH, TLS, etc.)
- •OAuth secrets
- •Encryption keys
- •Service account credentials
- •Third-party service keys (Stripe, Twilio, etc.)
Deliverable: List of files containing potential secrets with line numbers
2. Dependency Vulnerability Scanning
Python Dependencies:
# Using pip-audit (recommended) pip-audit --desc --format json > pip-audit-report.json # Using safety safety check --json > safety-report.json # Check for outdated packages pip list --outdated --format json
Node.js Dependencies:
# NPM audit npm audit --json > npm-audit-report.json # Yarn audit yarn audit --json > yarn-audit-report.json
General Container/Filesystem Scanning:
# Trivy (multi-language) trivy filesystem . --format json --output trivy-report.json # Check specific files trivy filesystem requirements.txt trivy filesystem package.json
Dependency Checks:
- •Known CVEs in dependencies
- •Outdated packages with security patches
- •Unmaintained packages
- •License compliance issues
- •Transitive dependency vulnerabilities
Deliverable: Vulnerability report with CVE IDs, severity scores, and affected packages
3. Insecure Code Pattern Detection
SQL Injection Vulnerabilities:
# Python - Look for string concatenation in SQL queries
grep -r "execute.*%.*" src/ --include="*.py"
grep -r "execute.*\+.*" src/ --include="*.py"
grep -r "cursor.execute.*format" src/ --include="*.py"
# Look for string formatting in SQL
grep -r "SELECT.*{" src/ --include="*.py"
grep -r "INSERT.*{" src/ --include="*.py"
grep -r "UPDATE.*{" src/ --include="*.py"
grep -r "DELETE.*{" src/ --include="*.py"
Command Injection:
# Python - subprocess with shell=True
grep -r "subprocess.*shell=True" src/ --include="*.py"
grep -r "os.system" src/ --include="*.py"
grep -r "os.popen" src/ --include="*.py"
# Node.js - child_process exec
grep -r "child_process.*exec" src/ --include="*.js"
grep -r "\.exec(" src/ --include="*.js"
Path Traversal:
# Unsanitized file paths grep -r "open(.*request\." src/ --include="*.py" grep -r "os.path.join(.*request\." src/ --include="*.py" grep -r "readFile(.*req\." src/ --include="*.js"
Insecure Deserialization:
# Python pickle
grep -r "pickle.loads" src/ --include="*.py"
grep -r "cPickle.loads" src/ --include="*.py"
# YAML load (unsafe)
grep -r "yaml.load(" src/ --include="*.py"
# Node.js eval
grep -r "eval(" src/ --include="*.js"
Cross-Site Scripting (XSS):
# HTML rendering without escaping grep -r "\.innerHTML" src/ --include="*.js" --include="*.jsx" grep -r "dangerouslySetInnerHTML" src/ --include="*.jsx" --include="*.tsx" # Python templates without autoescape grep -r "autoescape=False" src/ --include="*.py"
Weak Cryptography:
# MD5, SHA1 usage
grep -r "hashlib.md5" src/ --include="*.py"
grep -r "hashlib.sha1" src/ --include="*.py"
grep -r "crypto.createHash('md5')" src/ --include="*.js"
# Weak random
grep -r "random.random(" src/ --include="*.py"
grep -r "Math.random(" src/ --include="*.js"
Deliverable: List of insecure code patterns with file locations and severity
4. Authentication & Authorization Issues
Missing Authentication:
# Python Flask routes without auth decorators grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required" # Express routes without middleware grep -r "app.get\|app.post" src/ --include="*.js" -A 1
Hardcoded Credentials:
# Default passwords grep -r "password.*=.*['\"]admin['\"]" src/ grep -r "password.*=.*['\"]password['\"]" src/ grep -r "password.*=.*['\"]123456['\"]" src/ # Default tokens grep -r "token.*=.*['\"]test['\"]" src/
Session Management:
# Insecure session configuration grep -r "SESSION_COOKIE_SECURE.*False" src/ --include="*.py" grep -r "SESSION_COOKIE_HTTPONLY.*False" src/ --include="*.py" grep -r "SESSION_COOKIE_SAMESITE.*None" src/ --include="*.py"
Deliverable: Authentication and authorization gaps with recommendations
5. Static Analysis with Automated Tools
Python - Bandit:
# Run bandit for Python security issues bandit -r src/ -f json -o bandit-report.json # With specific tests bandit -r src/ -f json --severity-level medium # Show only high severity bandit -r src/ -ll
Multi-language - Semgrep:
# Auto-detect and scan semgrep --config=auto . --json > semgrep-report.json # OWASP Top 10 rules semgrep --config=p/owasp-top-ten . --json # Security audit semgrep --config=p/security-audit . --json # Python-specific semgrep --config=p/python . --json
JavaScript - ESLint Security:
# With security plugin eslint src/ --format json > eslint-report.json # With security-specific rules eslint src/ --plugin security --format json
Deliverable: Automated tool reports with findings categorized by severity
6. Configuration Security
Environment Files:
# Check for committed .env files find . -name ".env" -o -name ".env.*" | grep -v ".env.example" # Check .gitignore grep -q "\.env" .gitignore || echo "WARNING: .env not in .gitignore"
Security Headers:
# Check for security header configuration grep -r "X-Frame-Options" src/ config/ grep -r "Content-Security-Policy" src/ config/ grep -r "X-Content-Type-Options" src/ config/ grep -r "Strict-Transport-Security" src/ config/
CORS Configuration:
# Overly permissive CORS grep -r "Access-Control-Allow-Origin.*\*" src/ config/ grep -r "cors().*origin:.*\*" src/ --include="*.js"
Deliverable: Configuration security issues and recommendations
Scanning Output Format
Create a security scan report:
# Security Scan Report **Date**: [YYYY-MM-DD] **Scan Scope**: [path/to/code] **Scanner Version**: [tool versions] ## Summary - **Critical Issues**: [count] - **High Issues**: [count] - **Medium Issues**: [count] - **Low Issues**: [count] - **Informational**: [count] ## Critical Issues ### [Issue Title] **File**: [path/to/file:line] **Category**: [Secret/Injection/etc.] **Severity**: Critical **Description**: [What was found] **Evidence**:
[code snippet]
**Recommendation**: [How to fix] --- ## High Issues [Similar format] ## Medium Issues [Similar format] ## Low Issues [Similar format] ## Tool Reports ### Dependency Scan (pip-audit) - Vulnerable packages: [count] - CVEs found: [list] ### Secret Detection (gitleaks) - Secrets found: [count] - Types: [API keys, passwords, etc.] ### Static Analysis (bandit) - Issues found: [count] - Most common: [issue type] ## Recommendations ### Immediate Actions (Critical/High) 1. [Action 1] 2. [Action 2] ### Short-term (Medium) 1. [Action 1] ### Long-term (Low) 1. [Action 1] ## False Positives [List any false positives to ignore in future scans]
Best Practices
Secret Scanning:
- •Always scan before committing code
- •Check git history for past secrets
- •Use pre-commit hooks for automated scanning
- •Never commit .env files
- •Use secret management tools (Vault, AWS Secrets Manager)
Dependency Scanning:
- •Scan before adding new dependencies
- •Keep dependencies updated
- •Monitor for new vulnerabilities
- •Use lock files (requirements.txt, package-lock.json)
- •Consider dependency pinning
Code Pattern Detection:
- •Focus on user input handling
- •Check all database queries
- •Review file operations
- •Validate all external inputs
- •Sanitize all outputs
Automated Tools:
- •Run multiple tools for better coverage
- •Configure tools with project-specific rules
- •Integrate into CI/CD pipeline
- •Review and triage findings
- •Track false positives
Supporting Scripts
Quick Scan Script (scripts/quick-security-scan.sh):
#!/bin/bash
# Quick security scan
echo "Running security scans..."
# Secret detection
echo "1. Scanning for secrets..."
gitleaks detect --no-git || echo "Gitleaks not available"
# Dependency check
echo "2. Checking dependencies..."
if [ -f requirements.txt ]; then
pip-audit || echo "pip-audit not available"
fi
# Static analysis
echo "3. Running static analysis..."
if [ -d src ]; then
bandit -r src/ -ll || echo "Bandit not available"
fi
echo "Scan complete!"
Integration with Security Assessment
Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis
Tools Installation
Python Security Tools:
pip install pip-audit safety bandit
Secret Scanners:
# Gitleaks (via binary release) # See: https://github.com/gitleaks/gitleaks/releases # Trufflehog pip install truffleHog
Multi-language:
# Semgrep pip install semgrep # Trivy (via binary release) # See: https://github.com/aquasecurity/trivy/releases
Scan Frequency
- •Pre-commit: Secret detection
- •Daily: Dependency scanning
- •Weekly: Full static analysis
- •Before PR: Complete security scan
- •Before release: Comprehensive assessment
Remember
- •Automate everything: Use tools, don't scan manually
- •Multiple tools: Each catches different issues
- •Triage findings: Not all findings are exploitable
- •Fix high severity first: Prioritize by risk
- •Track over time: Monitor security trends
- •Update tools: Keep scanners current
- •Document exceptions: Log false positives
Your goal is to identify security issues early and comprehensively through automated scanning.