vulnerability-scanner

Vulnerability scanning principles. DAST, SAST, SCA selection and integration.

$ Instalar

git clone https://github.com/xenitV1/claude-code-maestro /tmp/claude-code-maestro && cp -r /tmp/claude-code-maestro/skills/vulnerability-scanner ~/.claude/skills/claude-code-maestro

// tip: Run this command in your terminal to install the skill

SKILL.md

View on GitHub →

name: vulnerability-scanner description: Vulnerability scanning principles. DAST, SAST, SCA selection and integration.

Vulnerability Scanner

Scanning tool selection and integration principles.

1. Scanner Type Selection

Decision Tree

What are you scanning?
│
├── Running application
│   └── DAST (Dynamic)
│
├── Source code
│   └── SAST (Static)
│
├── Dependencies
│   └── SCA (Composition)
│
├── Container images
│   └── Container scanners
│
└── Infrastructure
    └── Network scanners

Comparison

Type	Scans	Finds	Stage
DAST	Running app	Runtime issues	Pre-prod
SAST	Source code	Code patterns	Development
SCA	Dependencies	Known CVEs	Build
Network	Infrastructure	Misconfigs	Any time

2. Tool Selection Principles

DAST Tools

Scenario	Tool Type
Web apps	Web vulnerability scanners
APIs	API-aware scanners
Authenticated	Session-aware scanners

SAST Tools

Scenario	Tool Type
Multi-language	Universal scanners
Single language	Language-specific
Custom rules	Rule-based scanners

SCA Tools

Scenario	Tool Type
npm/yarn	Package auditors
Containers	Image scanners
Full SBOM	Comprehensive SCA

3. CI/CD Integration Principles

Pipeline Stages

Stage	Scan Type
Commit	SAST (fast)
Build	SCA
Deploy to staging	DAST
Pre-production	Full scan

Gate Criteria

Severity	Action
Critical	Block deployment
High	Review required
Medium	Log and track
Low	Informational

4. False Positive Management

Triage Workflow

Auto-filter known false positives
Context check - is code reachable?
Manual verify - is it exploitable?
Document - mark with reason

Baseline Approach

Create baseline of known issues
Only alert on new findings
Review baseline periodically

5. Vulnerability Prioritization

CVSS + Context

Factor	Consideration
CVSS score	Base severity
Exploitability	EPSS score
Asset criticality	Business impact
Exposure	Internet-facing?

Priority Formula

Priority = CVSS × Exploitability × Asset_Value

6. Reporting Principles

Report Components

Component	Content
Summary	Counts by severity
Findings	Details per vulnerability
Trends	Change over time
Remediation	Fix recommendations

Metrics to Track

Vulnerabilities by severity
Mean time to remediate
False positive rate
Coverage percentage

7. Anti-Patterns

❌ Don't	✅ Do
Scan only in CI	Scan in multiple stages
Alert on everything	Prioritize by risk
Ignore false positives	Maintain baseline
Scan without context	Consider asset value

Remember: Scanning finds issues. Prioritization makes them actionable.

vulnerability-scanner

$ Instalar

name: vulnerability-scanner description: Vulnerability scanning principles. DAST, SAST, SCA selection and integration.

Vulnerability Scanner

1. Scanner Type Selection

Decision Tree

Comparison

2. Tool Selection Principles

DAST Tools

SAST Tools

SCA Tools

3. CI/CD Integration Principles

Pipeline Stages

Gate Criteria

4. False Positive Management

Triage Workflow

Baseline Approach

5. Vulnerability Prioritization

CVSS + Context

Priority Formula

6. Reporting Principles

Report Components

Metrics to Track

7. Anti-Patterns

Repository

Actions

Related Skills