>_
Marketplace

vuln-patterns-core

Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.

$ 설치

git clone https://github.com/Zate/cc-plugins /tmp/cc-plugins && cp -r /tmp/cc-plugins/plugins/security/skills/vuln-patterns-core ~/.claude/skills/cc-plugins

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: vuln-patterns-core description: Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.

Vulnerability Patterns: Core

Universal security patterns applicable to all programming languages.

When to Use This Skill

  • Live security hooks - Real-time validation of code changes
  • Cross-language scanning - Patterns that work on any codebase
  • Configuration audits - Scanning env files, Docker, YAML configs

When NOT to Use This Skill

  • Language-specific patterns - Use vuln-patterns-languages skill
  • Full security audits - Use domain auditor agents
  • Remediation guidance - Use remediation-* skills

Hardcoded Secrets

Detection Pattern:

# API Keys
(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]

# AWS Keys
(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}

# Private Keys
-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----

# Generic Secrets
(?i)(password|secret|token|credential)s?\s*[:=]\s*['"][^'"]{8,}['"]

# JWT Secrets
(?i)(jwt[_-]?secret|signing[_-]?key)\s*[:=]\s*['"][^'"]+['"]

Grep Commands:

# API keys
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{16,}['\"]" .

# AWS keys
grep -rn -E "AKIA[A-Z0-9]{16}" .

# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .

# Password assignments
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" .

Severity: High ASVS: V13.3.1 - Secrets not in version control CWE: CWE-798 (Hardcoded Credentials)

SQL Injection

Detection Pattern:

# String concatenation in queries
(?i)(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE).*\+\s*[a-zA-Z_]+

# f-string/template queries
(?i)f['"](SELECT|INSERT|UPDATE|DELETE).*\{

# Format string queries
(?i)(SELECT|INSERT|UPDATE|DELETE).*%\s*\(

# String interpolation
(?i)(SELECT|INSERT|UPDATE|DELETE).*\$\{

Grep Commands:

# Python f-string SQL
grep -rn --include="*.py" -E "f['\"]SELECT.*\{|f['\"]INSERT.*\{|f['\"]UPDATE.*\{|f['\"]DELETE.*\{" .

# JavaScript template SQL
grep -rn --include="*.{js,ts}" -E "\`SELECT.*\$\{|\`INSERT.*\$\{|\`UPDATE.*\$\{|\`DELETE.*\$\{" .

# String concatenation SQL (all languages)
grep -rn -E "(SELECT|INSERT|UPDATE|DELETE).*\+.*\+" .

Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)

Command Injection

Detection Pattern:

# Shell execution with variables
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\+
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\$\{
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*f['"]

# Dangerous shell=True
subprocess\.[a-z]+\([^)]*shell\s*=\s*True

Grep Commands:

# Python os.system
grep -rn --include="*.py" -E "os\.system\s*\(.*\+" .

# Python subprocess shell=True
grep -rn --include="*.py" "shell\s*=\s*True" .

# Node.js exec
grep -rn --include="*.{js,ts}" -E "exec\s*\(.*\+" .

# PHP system calls
grep -rn --include="*.php" -E "(system|exec|shell_exec|passthru)\s*\(" .

Severity: Critical ASVS: V1.2.3 - OS command injection prevention CWE: CWE-78 (OS Command Injection)

Path Traversal

Detection Pattern:

# Direct path concatenation
(?i)(open|read|write|file|path)\s*\([^)]*\+.*\)
(?i)(open|read|write|file|path)\s*\([^)]*\$\{.*\)

# No path validation
os\.path\.join\s*\([^)]*,[^)]*\)(?!.*resolve|.*is_relative)

Grep Commands:

# Python file operations with variables
grep -rn --include="*.py" -E "open\s*\(.*\+" .

# Node.js file operations
grep -rn --include="*.{js,ts}" -E "(readFile|writeFile|createReadStream)\s*\(.*\+" .

# Check for missing path validation
grep -rn --include="*.py" "os\.path\.join" . | grep -v "resolve\|is_relative"

Severity: High ASVS: V5.4.1 - Path traversal prevention CWE: CWE-22 (Path Traversal)

Configuration File Patterns

.env Files

Detection Pattern:

# Sensitive keys in .env
(?i)(password|secret|token|api[_-]?key|private[_-]?key)\s*=\s*[^\s]+

Grep Commands:

grep -rn -E "(?i)(password|secret|token|api.?key)=" .env* 2>/dev/null

Severity: High ASVS: V13.3.1 - Secrets management CWE: CWE-798 (Hardcoded Credentials)

Docker/Container

Detection Pattern:

# Privileged mode
--privileged
privileged:\s*true

# Running as root
USER\s+root

# Exposed secrets
ENV\s+(PASSWORD|SECRET|API_KEY|TOKEN)\s*=

Grep Commands:

grep -rn "privileged" Dockerfile docker-compose.yml 2>/dev/null
grep -rn "USER root" Dockerfile 2>/dev/null
grep -rn -E "ENV.*(PASSWORD|SECRET|API_KEY)" Dockerfile 2>/dev/null

Severity: High ASVS: V13.2.1 - Secure configuration CWE: CWE-250 (Excessive Privilege)

Quick Scan Script

Use this script for rapid vulnerability detection:

#!/bin/bash
# quick-security-scan.sh

echo "=== Quick Security Scan ==="

echo -e "\n[1] Hardcoded Secrets"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(api[_-]?key|password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" . 2>/dev/null | head -20

echo -e "\n[2] SQL Injection Patterns"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(SELECT|INSERT|UPDATE|DELETE).*\+" . 2>/dev/null | head -20

echo -e "\n[3] Command Injection"
grep -rn --include="*.py" "shell\s*=\s*True" . 2>/dev/null
grep -rn --include="*.{js,ts}" -E "exec\s*\(|spawn\s*\(" . 2>/dev/null | head -10

echo -e "\n[4] Unsafe Deserialization"
grep -rn --include="*.py" "pickle\.load\|yaml\.load" . 2>/dev/null
grep -rn --include="*.java" "ObjectInputStream\|readObject" . 2>/dev/null

echo -e "\n[5] Weak Cryptography"
grep -rn --include="*.{py,java,go}" -E "md5|sha1|DES|RC4" . 2>/dev/null | head -10

echo -e "\n[6] Debug/Dev Settings"
grep -rn --include="*.py" "DEBUG\s*=\s*True" . 2>/dev/null
grep -rn "NODE_ENV.*development" . 2>/dev/null

echo -e "\n=== Scan Complete ==="

Integration with Live Hooks

When using these patterns in PreToolUse hooks:

  1. Parse the file content from the tool input
  2. Apply relevant patterns based on file extension
  3. Return blocking result for Critical/High severity matches
  4. Return warning for Medium severity matches

Pattern Matching Priority

SeverityActionResponse Time
CriticalBlockImmediate
HighBlock/WarnImmediate
MediumWarnDeferred
LowLogAsync

False Positive Mitigation

  1. Context awareness: Check surrounding code for sanitization
  2. Allowlists: Skip known-safe patterns (e.g., test files)
  3. Confidence scoring: Multiple indicators increase confidence
  4. User overrides: Allow explicit bypass with comments

See Also

  • vuln-patterns-languages - Language-specific patterns
  • remediation-injection - SQL/command injection fixes
  • remediation-auth - Secrets management fixes

Repository

Zate
Zate
Author
Zate/cc-plugins/plugins/security/skills/vuln-patterns-core
1
Stars
0
Forks
Updated10h ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
docstring
pytorch/pytorch
95.4k
at-dispatch-v2
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
skill-installer
openai/codex
54.7k