AgentSkillsCN

security-testing

适用于为 CI/CD 管道选择并配置安全测试工具。涵盖 SAST、DAST、SCA、容器扫描、秘密检测,以及基于基础设施即代码的安全扫描,并提供跨平台的工具推荐。 适用场景:SAST、DAST、SCA、Semgrep、SonarQube、CodeQL、Snyk、OWASP ZAP、Burp Suite、Trivy、Falco、GitLeaks、TruffleHog、Checkov、容器扫描、秘密扫描、IaC 扫描。 不适用场景:功能测试(应使用测试相关技能)、性能测试(应使用测试/性能测试相关技能)、威胁建模(应使用威胁建模相关技能)。

SKILL.md
--- frontmatter
name: security-testing
description: |
    Use when selecting and configuring security testing tools for your CI/CD pipeline. Covers SAST, DAST, SCA, container scanning, secrets detection, and infrastructure-as-code security scanning with cross-platform tool recommendations.
    USE FOR: SAST, DAST, SCA, Semgrep, SonarQube, CodeQL, Snyk, OWASP ZAP, Burp Suite, Trivy, Falco, GitLeaks, TruffleHog, Checkov, container scanning, secrets scanning, IaC scanning
    DO NOT USE FOR: functional testing (use testing skills), performance testing (use testing/performance-testing), threat modeling (use threat-modeling)
license: MIT
metadata:
  displayName: "Security Testing Tools"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Security Testing Tools

Overview

Security testing spans the entire software delivery pipeline — from the moment code is written through build, deployment, and runtime in production. No single tool or technique is sufficient; effective security testing requires layering multiple approaches at different stages of the pipeline. Static analysis catches coding flaws before execution, dynamic analysis discovers runtime vulnerabilities in deployed applications, composition analysis identifies known vulnerabilities in dependencies, and runtime monitoring detects threats in production. The goal is to create a security testing strategy that is automated, continuous, and integrated into the CI/CD pipeline so that vulnerabilities are caught as early and as cheaply as possible.

Security Testing Categories

CategoryWhat It TestsWhenTools
SAST (Static Application Security Testing)Source code, bytecode, or binaries for coding flawsDuring development and at commit/PR timeSemgrep, SonarQube, CodeQL, Snyk Code
DAST (Dynamic Application Security Testing)Running applications for runtime vulnerabilitiesAgainst staging or pre-production environmentsOWASP ZAP, Burp Suite, Nuclei
SCA (Software Composition Analysis)Third-party dependencies for known vulnerabilitiesAt build time and continuously in productionSnyk, Dependabot, Trivy, Grype + Syft
Container SecurityContainer images and runtime behaviorAt build and in productionTrivy, Falco, Sysdig, Aqua
Secrets DetectionCode and history for leaked credentialsAt commit time (pre-commit hooks) and in CITruffleHog, GitLeaks, detect-secrets
IaC SecurityInfrastructure-as-code templates for misconfigurationsAt commit/PR time and before deploymentCheckov, Trivy config, Terrascan, KICS

SAST (Static Application Security Testing)

SAST tools analyze source code without executing it, identifying vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and insecure cryptographic usage. SAST is most effective when integrated into the developer workflow (IDE plugins, PR checks) so that issues are caught before code is merged.

ToolLanguagesApproachCost
Semgrep30+ languagesPattern matching with lightweight, customizable rulesOSS core + commercial (Semgrep AppSec Platform)
SonarQube10+ languagesDataflow analysis with taint tracking and quality gatesCommunity (free) + commercial editions
CodeQL6+ languages (C/C++, C#, Go, Java, JavaScript, Python, Ruby)Semantic code analysis using a query language over a code databaseFree for open-source projects
Snyk CodeAll major languagesMachine learning-based analysis with real-time IDE feedbackFreemium (free tier + paid plans)

Key Considerations for SAST

  • False positive rate — Evaluate tools on your actual codebase; pattern-matching tools (Semgrep) tend to have lower false positive rates but may miss deeper dataflow issues.
  • Developer experience — IDE integration and clear remediation guidance are essential for developer adoption.
  • Custom rules — The ability to write organization-specific rules (e.g., enforcing internal API usage patterns) is a significant differentiator.

DAST (Dynamic Application Security Testing)

DAST tools test running applications by sending crafted requests and analyzing responses for evidence of vulnerabilities. DAST finds issues that SAST cannot, such as authentication flaws, server misconfigurations, and runtime injection vulnerabilities.

ToolTypeBest ForCost
OWASP ZAPOpen-sourceCI/CD automation, API scanning, baseline scansFree
Burp SuiteCommercialManual penetration testing, advanced crawling, Burp extensionsPaid (Professional and Enterprise editions)
NucleiOpen-sourceTemplate-based vulnerability scanning with a large community template libraryFree

Key Considerations for DAST

  • Authenticated scanning — Ensure the tool can handle your authentication mechanism (OAuth, JWT, SAML, session cookies) to test authenticated surfaces.
  • API support — For API-heavy applications, verify the tool can import and scan OpenAPI/Swagger specifications, GraphQL schemas, or gRPC definitions.
  • Scan duration — Full DAST scans can take hours; use baseline scans in CI and full scans on a scheduled basis.

SCA (Software Composition Analysis)

SCA tools identify known vulnerabilities (CVEs) in open-source dependencies, generate Software Bills of Materials (SBOMs), and assess license compliance risks. Given that modern applications are 70-90% open-source code, SCA is a critical layer of defense.

ToolLanguagesSBOM GenerationCost
SnykAll major languages and package managersYes (CycloneDX, SPDX)Freemium (free tier + paid plans)
DependabotGitHub-supported languages and ecosystemsNoFree (built into GitHub)
TrivyAll major languages + container images + IaCYes (CycloneDX, SPDX)Free (open-source, Aqua Security)
Grype + SyftAll major languages and container imagesYes (Syft generates SBOMs, Grype scans them)Free (open-source, Anchore)

Key Considerations for SCA

  • Reachability analysis — Advanced SCA tools can determine whether a vulnerable function in a dependency is actually called by your code, dramatically reducing noise.
  • License compliance — SCA tools can flag dependencies with licenses incompatible with your distribution model (e.g., GPL in a proprietary product).
  • Automated remediation — Tools like Dependabot and Snyk can automatically open pull requests to upgrade vulnerable dependencies.

Container Security

Container security covers the entire container lifecycle: building secure images, scanning for vulnerabilities, and monitoring runtime behavior for threats.

ToolCapabilityType
TrivyImage vulnerability scanning, SBOM generation, misconfiguration detectionOpen-source (Aqua Security)
FalcoRuntime threat detection using system call monitoring and eBPFCNCF project (open-source)
SysdigFull lifecycle container security (scanning, runtime, compliance, forensics)Commercial
AquaFull lifecycle container and cloud-native security platformCommercial

Key Considerations for Container Security

  • Base image selection — Use minimal, hardened base images (distroless, Alpine, Chainguard) to reduce the attack surface.
  • Image signing — Sign container images with Cosign or Notary to ensure supply chain integrity.
  • Runtime monitoring — Static scanning alone is insufficient; runtime tools like Falco detect anomalous behavior (unexpected shell execution, network connections, file system modifications) that image scanning cannot.

Secrets Detection

Secrets detection tools scan code, commit history, and CI/CD artifacts for accidentally committed credentials such as API keys, passwords, tokens, and private keys.

ToolApproachVerificationSpeed
TruffleHogEntropy analysis + pattern matching with active verification of discovered secretsYes (actively verifies if secrets are live)Slower (due to verification)
GitLeaksPattern and regex-based detection with customizable rulesNoFast
detect-secretsPattern-based detection with a baseline file to track known/approved secretsNoFast

Key Considerations for Secrets Detection

  • Pre-commit hooks — Run secrets detection as a pre-commit hook to prevent secrets from ever entering version control.
  • Full history scanning — Regularly scan the entire Git history, not just the latest commit, since secrets committed in the past remain exploitable even after deletion from the current branch.
  • Verification — TruffleHog's active verification feature confirms whether detected secrets are still valid, helping prioritize remediation.

IaC Security

Infrastructure-as-code (IaC) security tools analyze Terraform, CloudFormation, Kubernetes manifests, Dockerfiles, and other IaC templates for security misconfigurations before they are deployed.

ToolTargetsType
CheckovTerraform, CloudFormation, Kubernetes, Helm, Docker, Ansible, ARMOpen-source (Prisma Cloud / Palo Alto)
Trivy configTerraform, Dockerfile, Kubernetes, CloudFormation, HelmOpen-source (Aqua Security)
TerrascanTerraform, Kubernetes, Helm, CloudFormation, Docker, Azure ARMOpen-source (Tenable)
KICSTerraform, CloudFormation, Kubernetes, Docker, Ansible, OpenAPI, PulumiOpen-source (Checkmarx)

Key Considerations for IaC Security

  • Policy-as-code — Write custom policies (using Rego, Python, or YAML) to enforce organization-specific standards beyond the built-in checks.
  • Drift detection — Combine IaC scanning with drift detection to ensure deployed infrastructure matches the scanned templates.
  • Terraform plan scanning — Scan terraform plan output (not just HCL files) to catch issues that only manifest in the plan, such as overly permissive security group rules computed from variables.

CI/CD Integration

Security testing tools should be integrated into every stage of the CI/CD pipeline. The following diagram illustrates where each tool type runs:

code
+----------+     +----------+     +-----------+     +-------------------+
|  Commit  | --> |  Build   | --> |  Staging  | --> |    Production     |
+----------+     +----------+     +-----------+     +-------------------+
|                |                |                  |
| - SAST         | - SCA          | - DAST           | - Runtime monitoring
| - Secrets      | - Container    | - Authenticated  |   (Falco, Sysdig)
|   detection    |   image scan   |   scanning       | - Continuous SCA
| - IaC scanning | - SBOM         | - API fuzzing    | - Log analysis
| - Pre-commit   |   generation   |                  |
|   hooks        |                |                  |

Shift left, but don't stop there. Run fast, lightweight checks (SAST, secrets, IaC) at commit time for rapid developer feedback. Run heavier checks (SCA, container scanning) at build time. Run DAST against staging. Continue monitoring in production with runtime security tools and continuous vulnerability scanning.

Best Practices

  • Layer multiple testing approaches — no single tool catches everything; combine SAST, DAST, SCA, container scanning, secrets detection, and IaC scanning for comprehensive coverage.
  • Integrate security testing into CI/CD as quality gates — fail builds on critical and high-severity findings to prevent vulnerable code from reaching production.
  • Tune tools aggressively to reduce false positives — a noisy tool is an ignored tool; invest time in suppressing false positives and writing custom rules tuned to your codebase.
  • Enable incremental scanning for SAST tools in pull requests so that developers receive fast feedback on only the code they changed, reserving full scans for nightly or weekly runs.
  • Generate and store SBOMs for every release using CycloneDX or SPDX format; SBOMs enable rapid impact assessment when new vulnerabilities are disclosed in dependencies.
  • Run secrets detection as a pre-commit hook and scan the full Git history periodically; secrets committed even briefly remain in Git history and must be rotated immediately upon detection.
  • Keep security tool rulesets and vulnerability databases up to date — outdated rules miss new vulnerability patterns; automate rule updates as part of your tool maintenance.
  • Track security testing metrics (findings by severity, mean time to remediate, false positive rate, scan coverage) and report them to engineering leadership to drive continuous improvement.