security-scanner

matteocervelli

Updated Today

21 views

Developmentautomation

About

This security-scanner skill automatically scans codebases to identify security vulnerabilities like hardcoded secrets, insecure dependencies, and unsafe code patterns. It's designed for use in automated security checks during pre-commit validation, CI/CD pipelines, and security assessments. The skill utilizes tools like Read, Grep, and Glob to perform static security analysis.

Documentation

Security Scanner Skill

Purpose

This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.

When to Use

Starting security assessment of a codebase
Pre-commit security checks
CI/CD pipeline security validation
Dependency vulnerability scanning
Secret detection in code
Static security analysis

Scanning Workflow

1. Secret Detection

Scan for Hardcoded Secrets:

# Using grep patterns for common secrets
grep -r -i "password\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "api_key\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "secret\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "token\s*=\s*['\"]" src/ --include="*.py" --include="*.js"

# AWS credentials
grep -r "AKIA[0-9A-Z]{16}" src/
grep -r "aws_secret_access_key" src/

# Private keys
grep -r "BEGIN.*PRIVATE KEY" src/

# Database connection strings
grep -r "postgresql://.*:.*@" src/
grep -r "mysql://.*:.*@" src/
grep -r "mongodb://.*:.*@" src/

Use Dedicated Secret Scanners:

# Gitleaks (if available)
gitleaks detect --source . --report-format json --report-path gitleaks-report.json

# Trufflehog (if available)
trufflehog filesystem . --json > trufflehog-report.json

# Git-secrets (if available)
git secrets --scan

Secrets to Look For:

API keys (AWS, Google Cloud, Azure, etc.)
Database passwords
Authentication tokens
Private keys (SSH, TLS, etc.)
OAuth secrets
Encryption keys
Service account credentials
Third-party service keys (Stripe, Twilio, etc.)

Deliverable: List of files containing potential secrets with line numbers

2. Dependency Vulnerability Scanning

Python Dependencies:

# Using pip-audit (recommended)
pip-audit --desc --format json > pip-audit-report.json

# Using safety
safety check --json > safety-report.json

# Check for outdated packages
pip list --outdated --format json

Node.js Dependencies:

# NPM audit
npm audit --json > npm-audit-report.json

# Yarn audit
yarn audit --json > yarn-audit-report.json

General Container/Filesystem Scanning:

# Trivy (multi-language)
trivy filesystem . --format json --output trivy-report.json

# Check specific files
trivy filesystem requirements.txt
trivy filesystem package.json

Dependency Checks:

Known CVEs in dependencies
Outdated packages with security patches
Unmaintained packages
License compliance issues
Transitive dependency vulnerabilities

Deliverable: Vulnerability report with CVE IDs, severity scores, and affected packages

3. Insecure Code Pattern Detection

SQL Injection Vulnerabilities:

# Python - Look for string concatenation in SQL queries
grep -r "execute.*%.*" src/ --include="*.py"
grep -r "execute.*\+.*" src/ --include="*.py"
grep -r "cursor.execute.*format" src/ --include="*.py"

# Look for string formatting in SQL
grep -r "SELECT.*{" src/ --include="*.py"
grep -r "INSERT.*{" src/ --include="*.py"
grep -r "UPDATE.*{" src/ --include="*.py"
grep -r "DELETE.*{" src/ --include="*.py"

Command Injection:

# Python - subprocess with shell=True
grep -r "subprocess.*shell=True" src/ --include="*.py"
grep -r "os.system" src/ --include="*.py"
grep -r "os.popen" src/ --include="*.py"

# Node.js - child_process exec
grep -r "child_process.*exec" src/ --include="*.js"
grep -r "\.exec(" src/ --include="*.js"

Path Traversal:

# Unsanitized file paths
grep -r "open(.*request\." src/ --include="*.py"
grep -r "os.path.join(.*request\." src/ --include="*.py"
grep -r "readFile(.*req\." src/ --include="*.js"

Insecure Deserialization:

# Python pickle
grep -r "pickle.loads" src/ --include="*.py"
grep -r "cPickle.loads" src/ --include="*.py"

# YAML load (unsafe)
grep -r "yaml.load(" src/ --include="*.py"

# Node.js eval
grep -r "eval(" src/ --include="*.js"

Cross-Site Scripting (XSS):

# HTML rendering without escaping
grep -r "\.innerHTML" src/ --include="*.js" --include="*.jsx"
grep -r "dangerouslySetInnerHTML" src/ --include="*.jsx" --include="*.tsx"

# Python templates without autoescape
grep -r "autoescape=False" src/ --include="*.py"

Weak Cryptography:

# MD5, SHA1 usage
grep -r "hashlib.md5" src/ --include="*.py"
grep -r "hashlib.sha1" src/ --include="*.py"
grep -r "crypto.createHash('md5')" src/ --include="*.js"

# Weak random
grep -r "random.random(" src/ --include="*.py"
grep -r "Math.random(" src/ --include="*.js"

Deliverable: List of insecure code patterns with file locations and severity

4. Authentication & Authorization Issues

Missing Authentication:

# Python Flask routes without auth decorators
grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"

# Express routes without middleware
grep -r "app.get\|app.post" src/ --include="*.js" -A 1

Hardcoded Credentials:

# Default passwords
grep -r "password.*=.*['\"]admin['\"]" src/
grep -r "password.*=.*['\"]password['\"]" src/
grep -r "password.*=.*['\"]123456['\"]" src/

# Default tokens
grep -r "token.*=.*['\"]test['\"]" src/

Session Management:

# Insecure session configuration
grep -r "SESSION_COOKIE_SECURE.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_HTTPONLY.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_SAMESITE.*None" src/ --include="*.py"

Deliverable: Authentication and authorization gaps with recommendations

5. Static Analysis with Automated Tools

Python - Bandit:

# Run bandit for Python security issues
bandit -r src/ -f json -o bandit-report.json

# With specific tests
bandit -r src/ -f json --severity-level medium

# Show only high severity
bandit -r src/ -ll

Multi-language - Semgrep:

# Auto-detect and scan
semgrep --config=auto . --json > semgrep-report.json

# OWASP Top 10 rules
semgrep --config=p/owasp-top-ten . --json

# Security audit
semgrep --config=p/security-audit . --json

# Python-specific
semgrep --config=p/python . --json

JavaScript - ESLint Security:

# With security plugin
eslint src/ --format json > eslint-report.json

# With security-specific rules
eslint src/ --plugin security --format json

Deliverable: Automated tool reports with findings categorized by severity

6. Configuration Security

Environment Files:

# Check for committed .env files
find . -name ".env" -o -name ".env.*" | grep -v ".env.example"

# Check .gitignore
grep -q "\.env" .gitignore || echo "WARNING: .env not in .gitignore"

Security Headers:

# Check for security header configuration
grep -r "X-Frame-Options" src/ config/
grep -r "Content-Security-Policy" src/ config/
grep -r "X-Content-Type-Options" src/ config/
grep -r "Strict-Transport-Security" src/ config/

CORS Configuration:

# Overly permissive CORS
grep -r "Access-Control-Allow-Origin.*\*" src/ config/
grep -r "cors().*origin:.*\*" src/ --include="*.js"

Deliverable: Configuration security issues and recommendations

Scanning Output Format

Create a security scan report:

# Security Scan Report

**Date**: [YYYY-MM-DD]
**Scan Scope**: [path/to/code]
**Scanner Version**: [tool versions]

## Summary

- **Critical Issues**: [count]
- **High Issues**: [count]
- **Medium Issues**: [count]
- **Low Issues**: [count]
- **Informational**: [count]

## Critical Issues

### [Issue Title]

**File**: [path/to/file:line]
**Category**: [Secret/Injection/etc.]
**Severity**: Critical

**Description**: [What was found]

**Evidence**:

[code snippet]


**Recommendation**: [How to fix]

---

## High Issues

[Similar format]

## Medium Issues

[Similar format]

## Low Issues

[Similar format]

## Tool Reports

### Dependency Scan (pip-audit)
- Vulnerable packages: [count]
- CVEs found: [list]

### Secret Detection (gitleaks)
- Secrets found: [count]
- Types: [API keys, passwords, etc.]

### Static Analysis (bandit)
- Issues found: [count]
- Most common: [issue type]

## Recommendations

### Immediate Actions (Critical/High)
1. [Action 1]
2. [Action 2]

### Short-term (Medium)
1. [Action 1]

### Long-term (Low)
1. [Action 1]

## False Positives

[List any false positives to ignore in future scans]

Best Practices

Secret Scanning:

Always scan before committing code
Check git history for past secrets
Use pre-commit hooks for automated scanning
Never commit .env files
Use secret management tools (Vault, AWS Secrets Manager)

Dependency Scanning:

Scan before adding new dependencies
Keep dependencies updated
Monitor for new vulnerabilities
Use lock files (requirements.txt, package-lock.json)
Consider dependency pinning

Code Pattern Detection:

Focus on user input handling
Check all database queries
Review file operations
Validate all external inputs
Sanitize all outputs

Automated Tools:

Run multiple tools for better coverage
Configure tools with project-specific rules
Integrate into CI/CD pipeline
Review and triage findings
Track false positives

Supporting Scripts

Quick Scan Script (scripts/quick-security-scan.sh):

#!/bin/bash
# Quick security scan

echo "Running security scans..."

# Secret detection
echo "1. Scanning for secrets..."
gitleaks detect --no-git || echo "Gitleaks not available"

# Dependency check
echo "2. Checking dependencies..."
if [ -f requirements.txt ]; then
    pip-audit || echo "pip-audit not available"
fi

# Static analysis
echo "3. Running static analysis..."
if [ -d src ]; then
    bandit -r src/ -ll || echo "Bandit not available"
fi

echo "Scan complete!"

Integration with Security Assessment

Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis

Tools Installation

Python Security Tools:

pip install pip-audit safety bandit

Secret Scanners:

# Gitleaks (via binary release)
# See: https://github.com/gitleaks/gitleaks/releases

# Trufflehog
pip install truffleHog

Multi-language:

# Semgrep
pip install semgrep

# Trivy (via binary release)
# See: https://github.com/aquasecurity/trivy/releases

Scan Frequency

Pre-commit: Secret detection
Daily: Dependency scanning
Weekly: Full static analysis
Before PR: Complete security scan
Before release: Comprehensive assessment

Remember

Automate everything: Use tools, don't scan manually
Multiple tools: Each catches different issues
Triage findings: Not all findings are exploitable
Fix high severity first: Prioritize by risk
Track over time: Monitor security trends
Update tools: Keep scanners current
Document exceptions: Log false positives

Your goal is to identify security issues early and comprehensively through automated scanning.

Quick Install

/plugin add https://github.com/matteocervelli/llms/tree/main/security-scanner

Copy and paste this command in Claude Code to install this skill

GitHub 仓库

matteocervelli/llms

Path: .claude/skills/security-scanner

Related Skills

sglang

Algorithmic Art Generation

business-rule-documentation

huggingface-accelerate

Development

HuggingFace Accelerate provides the simplest API for adding distributed training to PyTorch scripts with just 4 lines of code. It offers a unified interface for multiple distributed training frameworks like DeepSpeed, FSDP, and DDP while handling automatic device placement and mixed precision. This makes it ideal for developers who want to quickly scale their PyTorch training across multiple GPUs or nodes without complex configuration.

View skill