>_

security-scanner

Scan codebase for security vulnerabilities including secrets, insecure dependencies, and unsafe code patterns. Use when performing automated security scans.

allowed_tools: Read, Grep, Glob, Bash

$ Instalar

git clone https://github.com/matteocervelli/llms /tmp/llms && cp -r /tmp/llms/.claude/skills/security-scanner ~/.claude/skills/llms

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: security-scanner description: Scan codebase for security vulnerabilities including secrets, insecure dependencies, and unsafe code patterns. Use when performing automated security scans. allowed-tools: Read, Grep, Glob, Bash

Security Scanner Skill

Purpose

This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.

When to Use

  • Starting security assessment of a codebase
  • Pre-commit security checks
  • CI/CD pipeline security validation
  • Dependency vulnerability scanning
  • Secret detection in code
  • Static security analysis

Scanning Workflow

1. Secret Detection

Scan for Hardcoded Secrets:

# Using grep patterns for common secrets
grep -r -i "password\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "api_key\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "secret\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "token\s*=\s*['\"]" src/ --include="*.py" --include="*.js"

# AWS credentials
grep -r "AKIA[0-9A-Z]{16}" src/
grep -r "aws_secret_access_key" src/

# Private keys
grep -r "BEGIN.*PRIVATE KEY" src/

# Database connection strings
grep -r "postgresql://.*:.*@" src/
grep -r "mysql://.*:.*@" src/
grep -r "mongodb://.*:.*@" src/

Use Dedicated Secret Scanners:

# Gitleaks (if available)
gitleaks detect --source . --report-format json --report-path gitleaks-report.json

# Trufflehog (if available)
trufflehog filesystem . --json > trufflehog-report.json

# Git-secrets (if available)
git secrets --scan

Secrets to Look For:

  • API keys (AWS, Google Cloud, Azure, etc.)
  • Database passwords
  • Authentication tokens
  • Private keys (SSH, TLS, etc.)
  • OAuth secrets
  • Encryption keys
  • Service account credentials
  • Third-party service keys (Stripe, Twilio, etc.)

Deliverable: List of files containing potential secrets with line numbers

2. Dependency Vulnerability Scanning

Python Dependencies:

# Using pip-audit (recommended)
pip-audit --desc --format json > pip-audit-report.json

# Using safety
safety check --json > safety-report.json

# Check for outdated packages
pip list --outdated --format json

Node.js Dependencies:

# NPM audit
npm audit --json > npm-audit-report.json

# Yarn audit
yarn audit --json > yarn-audit-report.json

General Container/Filesystem Scanning:

# Trivy (multi-language)
trivy filesystem . --format json --output trivy-report.json

# Check specific files
trivy filesystem requirements.txt
trivy filesystem package.json

Dependency Checks:

  • Known CVEs in dependencies
  • Outdated packages with security patches
  • Unmaintained packages
  • License compliance issues
  • Transitive dependency vulnerabilities

Deliverable: Vulnerability report with CVE IDs, severity scores, and affected packages

3. Insecure Code Pattern Detection

SQL Injection Vulnerabilities:

# Python - Look for string concatenation in SQL queries
grep -r "execute.*%.*" src/ --include="*.py"
grep -r "execute.*\+.*" src/ --include="*.py"
grep -r "cursor.execute.*format" src/ --include="*.py"

# Look for string formatting in SQL
grep -r "SELECT.*{" src/ --include="*.py"
grep -r "INSERT.*{" src/ --include="*.py"
grep -r "UPDATE.*{" src/ --include="*.py"
grep -r "DELETE.*{" src/ --include="*.py"

Command Injection:

# Python - subprocess with shell=True
grep -r "subprocess.*shell=True" src/ --include="*.py"
grep -r "os.system" src/ --include="*.py"
grep -r "os.popen" src/ --include="*.py"

# Node.js - child_process exec
grep -r "child_process.*exec" src/ --include="*.js"
grep -r "\.exec(" src/ --include="*.js"

Path Traversal:

# Unsanitized file paths
grep -r "open(.*request\." src/ --include="*.py"
grep -r "os.path.join(.*request\." src/ --include="*.py"
grep -r "readFile(.*req\." src/ --include="*.js"

Insecure Deserialization:

# Python pickle
grep -r "pickle.loads" src/ --include="*.py"
grep -r "cPickle.loads" src/ --include="*.py"

# YAML load (unsafe)
grep -r "yaml.load(" src/ --include="*.py"

# Node.js eval
grep -r "eval(" src/ --include="*.js"

Cross-Site Scripting (XSS):

# HTML rendering without escaping
grep -r "\.innerHTML" src/ --include="*.js" --include="*.jsx"
grep -r "dangerouslySetInnerHTML" src/ --include="*.jsx" --include="*.tsx"

# Python templates without autoescape
grep -r "autoescape=False" src/ --include="*.py"

Weak Cryptography:

# MD5, SHA1 usage
grep -r "hashlib.md5" src/ --include="*.py"
grep -r "hashlib.sha1" src/ --include="*.py"
grep -r "crypto.createHash('md5')" src/ --include="*.js"

# Weak random
grep -r "random.random(" src/ --include="*.py"
grep -r "Math.random(" src/ --include="*.js"

Deliverable: List of insecure code patterns with file locations and severity

4. Authentication & Authorization Issues

Missing Authentication:

# Python Flask routes without auth decorators
grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"

# Express routes without middleware
grep -r "app.get\|app.post" src/ --include="*.js" -A 1

Hardcoded Credentials:

# Default passwords
grep -r "password.*=.*['\"]admin['\"]" src/
grep -r "password.*=.*['\"]password['\"]" src/
grep -r "password.*=.*['\"]123456['\"]" src/

# Default tokens
grep -r "token.*=.*['\"]test['\"]" src/

Session Management:

# Insecure session configuration
grep -r "SESSION_COOKIE_SECURE.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_HTTPONLY.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_SAMESITE.*None" src/ --include="*.py"

Deliverable: Authentication and authorization gaps with recommendations

5. Static Analysis with Automated Tools

Python - Bandit:

# Run bandit for Python security issues
bandit -r src/ -f json -o bandit-report.json

# With specific tests
bandit -r src/ -f json --severity-level medium

# Show only high severity
bandit -r src/ -ll

Multi-language - Semgrep:

# Auto-detect and scan
semgrep --config=auto . --json > semgrep-report.json

# OWASP Top 10 rules
semgrep --config=p/owasp-top-ten . --json

# Security audit
semgrep --config=p/security-audit . --json

# Python-specific
semgrep --config=p/python . --json

JavaScript - ESLint Security:

# With security plugin
eslint src/ --format json > eslint-report.json

# With security-specific rules
eslint src/ --plugin security --format json

Deliverable: Automated tool reports with findings categorized by severity

6. Configuration Security

Environment Files:

# Check for committed .env files
find . -name ".env" -o -name ".env.*" | grep -v ".env.example"

# Check .gitignore
grep -q "\.env" .gitignore || echo "WARNING: .env not in .gitignore"

Security Headers:

# Check for security header configuration
grep -r "X-Frame-Options" src/ config/
grep -r "Content-Security-Policy" src/ config/
grep -r "X-Content-Type-Options" src/ config/
grep -r "Strict-Transport-Security" src/ config/

CORS Configuration:

# Overly permissive CORS
grep -r "Access-Control-Allow-Origin.*\*" src/ config/
grep -r "cors().*origin:.*\*" src/ --include="*.js"

Deliverable: Configuration security issues and recommendations

Scanning Output Format

Create a security scan report:

# Security Scan Report

**Date**: [YYYY-MM-DD]
**Scan Scope**: [path/to/code]
**Scanner Version**: [tool versions]

## Summary

- **Critical Issues**: [count]
- **High Issues**: [count]
- **Medium Issues**: [count]
- **Low Issues**: [count]
- **Informational**: [count]

## Critical Issues

### [Issue Title]

**File**: [path/to/file:line]
**Category**: [Secret/Injection/etc.]
**Severity**: Critical

**Description**: [What was found]

**Evidence**:

[code snippet]


**Recommendation**: [How to fix]

---

## High Issues

[Similar format]

## Medium Issues

[Similar format]

## Low Issues

[Similar format]

## Tool Reports

### Dependency Scan (pip-audit)
- Vulnerable packages: [count]
- CVEs found: [list]

### Secret Detection (gitleaks)
- Secrets found: [count]
- Types: [API keys, passwords, etc.]

### Static Analysis (bandit)
- Issues found: [count]
- Most common: [issue type]

## Recommendations

### Immediate Actions (Critical/High)
1. [Action 1]
2. [Action 2]

### Short-term (Medium)
1. [Action 1]

### Long-term (Low)
1. [Action 1]

## False Positives

[List any false positives to ignore in future scans]

Best Practices

Secret Scanning:

  • Always scan before committing code
  • Check git history for past secrets
  • Use pre-commit hooks for automated scanning
  • Never commit .env files
  • Use secret management tools (Vault, AWS Secrets Manager)

Dependency Scanning:

  • Scan before adding new dependencies
  • Keep dependencies updated
  • Monitor for new vulnerabilities
  • Use lock files (requirements.txt, package-lock.json)
  • Consider dependency pinning

Code Pattern Detection:

  • Focus on user input handling
  • Check all database queries
  • Review file operations
  • Validate all external inputs
  • Sanitize all outputs

Automated Tools:

  • Run multiple tools for better coverage
  • Configure tools with project-specific rules
  • Integrate into CI/CD pipeline
  • Review and triage findings
  • Track false positives

Supporting Scripts

Quick Scan Script (scripts/quick-security-scan.sh):

#!/bin/bash
# Quick security scan

echo "Running security scans..."

# Secret detection
echo "1. Scanning for secrets..."
gitleaks detect --no-git || echo "Gitleaks not available"

# Dependency check
echo "2. Checking dependencies..."
if [ -f requirements.txt ]; then
    pip-audit || echo "pip-audit not available"
fi

# Static analysis
echo "3. Running static analysis..."
if [ -d src ]; then
    bandit -r src/ -ll || echo "Bandit not available"
fi

echo "Scan complete!"

Integration with Security Assessment

Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis

Tools Installation

Python Security Tools:

pip install pip-audit safety bandit

Secret Scanners:

# Gitleaks (via binary release)
# See: https://github.com/gitleaks/gitleaks/releases

# Trufflehog
pip install truffleHog

Multi-language:

# Semgrep
pip install semgrep

# Trivy (via binary release)
# See: https://github.com/aquasecurity/trivy/releases

Scan Frequency

  • Pre-commit: Secret detection
  • Daily: Dependency scanning
  • Weekly: Full static analysis
  • Before PR: Complete security scan
  • Before release: Comprehensive assessment

Remember

  • Automate everything: Use tools, don't scan manually
  • Multiple tools: Each catches different issues
  • Triage findings: Not all findings are exploitable
  • Fix high severity first: Prioritize by risk
  • Track over time: Monitor security trends
  • Update tools: Keep scanners current
  • Document exceptions: Log false positives

Your goal is to identify security issues early and comprehensively through automated scanning.

Repository

matteocervelli
matteocervelli
Author
matteocervelli/llms/.claude/skills/security-scanner
10
Stars
0
Forks
Updated5d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
docstring
pytorch/pytorch
95.4k
at-dispatch-v2
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
skill-installer
openai/codex
54.7k