playbooks

home / skills / dasien / claudemultiagenttemplate / vulnerability-scanning

vulnerability-scanning skill

/templates/.claude/skills/vulnerability-scanning

This skill automates vulnerability scanning across dependencies and code, triages findings, and prioritizes remediation to reduce risk before deployment.

npx playbooks add skill dasien/claudemultiagenttemplate --skill vulnerability-scanning

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
6.3 KB
---
name: "Vulnerability Scanning"
description: "Scan dependencies and code for known vulnerabilities using automated tools, triage security issues, and prioritize remediation"
category: "security"
required_tools: ["Bash", "Read", "Grep", "WebSearch"]
---

# Vulnerability Scanning

## Purpose
Automate the detection of known vulnerabilities in dependencies and code using security scanning tools, triage findings, and prioritize remediation based on risk and exploitability.

## When to Use
- Before deploying to production
- During CI/CD pipeline execution
- Regular security audits (weekly/monthly)
- After updating dependencies
- Investigating security alerts

## Key Capabilities

1. **Dependency Scanning** - Identify vulnerable packages and libraries
2. **SAST/DAST Execution** - Run static and dynamic analysis tools
3. **Issue Triage** - Categorize and prioritize security findings

## Approach

1. **Select Appropriate Tools**
   - **Dependency scanners**: npm audit, pip-audit, Snyk, OWASP Dependency-Check
   - **SAST (Static)**: Bandit (Python), ESLint security, Semgrep, SonarQube
   - **DAST (Dynamic)**: OWASP ZAP, Burp Suite
   - **Secret detection**: GitGuardian, TruffleHog

2. **Run Scans**
   - Execute during CI/CD pipeline
   - Scan both application code and dependencies
   - Include container image scanning if applicable
   - Check for exposed secrets

3. **Parse and Triage Results**
   - Critical: Remote code execution, authentication bypass
   - High: SQL injection, XSS, sensitive data exposure
   - Medium: Information disclosure, denial of service
   - Low: Security misconfigurations, minor issues

4. **Assess Exploitability**
   - Is vulnerable code actually used in the application?
   - Is the attack vector applicable to your architecture?
   - Are there compensating controls?
   - What's the CVSS score?

5. **Prioritize Remediation**
   - Fix critical vulnerabilities immediately
   - Plan high-priority fixes in current sprint
   - Schedule medium-priority fixes in backlog
   - Accept or document low-priority findings

## Example

**Context**: Scanning a Node.js application

**Dependency Scan**:
```bash
# Run npm audit
npm audit --json > audit-results.json

# Run Snyk scan
snyk test --json > snyk-results.json
```

**Sample Results**:
```json
{
  "vulnerabilities": {
    "express": {
      "severity": "high",
      "via": ["qs"],
      "cve": "CVE-2022-24999",
      "description": "express accepts malformed URLs, leading to DoS",
      "fixAvailable": {
        "version": "4.18.2"
      }
    },
    "jsonwebtoken": {
      "severity": "critical",
      "cve": "CVE-2022-23529",
      "description": "JWT signature verification bypass",
      "fixAvailable": {
        "version": "9.0.0"
      }
    },
    "lodash": {
      "severity": "medium",
      "cve": "CVE-2021-23337",
      "description": "Prototype pollution",
      "fixAvailable": {
        "version": "4.17.21"
      }
    }
  }
}
```

**SAST Scan (Semgrep)**:
```bash
# Run Semgrep with security rules
semgrep --config=auto --json src/ > semgrep-results.json
```

**Sample SAST Findings**:
```
Finding 1: SQL Injection Risk
File: src/api/users.js:45
Code: db.query(`SELECT * FROM users WHERE id=${userId}`)
Severity: Critical
CWE: CWE-89

Finding 2: Hardcoded Secret
File: src/config/database.js:12
Code: const password = "P@ssw0rd123";
Severity: Critical
CWE: CWE-798

Finding 3: Missing Input Validation
File: src/api/uploads.js:28
Code: fs.writeFileSync(req.body.filename, data)
Severity: High
CWE: CWE-22 (Path Traversal)
```

**Triage Analysis**:

| Finding | Severity | Exploitable? | Priority | Action |
|---------|----------|--------------|----------|--------|
| JWT bypass (CVE-2022-23529) | Critical | Yes | **P0** | Update to 9.0.0 immediately |
| Hardcoded password | Critical | Yes | **P0** | Move to env var, rotate credentials |
| SQL injection in users.js | Critical | Yes | **P0** | Use parameterized queries |
| Path traversal in uploads | High | Yes | **P1** | Validate and sanitize filenames |
| Express DoS (CVE-2022-24999) | High | Partial | **P2** | Update to 4.18.2, have rate limiting |
| Lodash prototype pollution | Medium | No | **P3** | Not exploitable in our usage, update when convenient |

**Remediation Report**:
```markdown
# Security Scan Report - 2025-01-10

## Critical Issues (Fix Immediately)
1. **JWT Signature Bypass (CVE-2022-23529)**
   - Package: [email protected]
   - Fix: Upgrade to 9.0.0
   - Command: `npm install [email protected]`
   - Status: ⏳ In Progress

2. **Hardcoded Database Password**
   - File: src/config/database.js:12
   - Fix: Move to environment variable
   - Action: Create .env.example, update code
   - Status: ⏳ In Progress

3. **SQL Injection - User Lookup**
   - File: src/api/users.js:45
   - Fix: Use parameterized queries
   - Action: Replace string concatenation with prepared statement
   - Status: ⏳ In Progress

## High Priority (Fix This Sprint)
4. **Path Traversal - File Upload**
   - File: src/api/uploads.js:28
   - Fix: Validate filename, use path.basename()
   - Status: 📋 Planned

5. **Express DoS Vulnerability**
   - Package: [email protected]
   - Fix: Update to 4.18.2
   - Status: 📋 Planned

## Medium Priority (Backlog)
6. **Lodash Prototype Pollution**
   - Package: [email protected]
   - Fix: Update to 4.17.21
   - Risk: Low (not exploitable in our usage)
   - Status: 📝 Documented

## Summary
- Total findings: 6
- Critical: 3 (all actionable)
- High: 2 (all actionable)
- Medium: 1 (accepted risk)
```

**Expected Result**: 
- All vulnerabilities identified and categorized
- Exploitability assessed for each finding
- Clear remediation plan with priorities
- Tracking status for each issue

## Best Practices

- ✅ Run scans in CI/CD pipeline on every commit
- ✅ Fail builds for critical vulnerabilities
- ✅ Scan both dependencies and application code
- ✅ Keep scanner tools updated
- ✅ Assess false positives (not all findings are exploitable)
- ✅ Document accepted risks with justification
- ✅ Track remediation progress
- ✅ Set up alerts for new CVEs in your dependencies
- ✅ Scan container images if using Docker
- ✅ Include license compliance checks
- ❌ Avoid: Ignoring low-severity findings (they can become critical)
- ❌ Avoid: Scanning only on release (scan continuously)
- ❌ Avoid: Updating dependencies blindly without testing
- ❌ Avoid: Dismissing findings without investigation

Overview

This skill automates detection of known vulnerabilities in code, dependencies, and container images, then triages findings and prioritizes remediation. It integrates dependency scanners, SAST/DAST tools, and secret detection to produce actionable reports. The goal is to reduce risk by identifying exploitable issues and creating a clear remediation plan with priorities and status tracking.

How this skill works

The skill runs a combination of dependency scanners (npm audit, pip-audit, Snyk, OWASP Dependency-Check), SAST tools (Semgrep, Bandit, SonarQube) and optional DAST tools (OWASP ZAP) during CI/CD or scheduled scans. Results are parsed, de-duplicated, and classified by severity and exploitability. Findings are triaged into priorities (P0/P1/P2/P3) with recommended fixes, target versions, and tracking metadata for remediation.

When to use it

  • Before deploying to production or releasing a build
  • As part of CI/CD pipeline for every commit or PR
  • During periodic security audits (weekly or monthly)
  • After updating or adding dependencies
  • When investigating external security alerts or CVEs

Best practices

  • Fail builds on critical findings and block merges until resolved or mitigated
  • Scan both application code and dependencies, plus container images if used
  • Assess exploitability — confirm whether vulnerable code is reachable in your environment
  • Keep scanning tools and rule sets updated to detect recent CVEs
  • Document accepted risks and compensating controls with justification

Example use cases

  • Run npm audit and Snyk in CI for a Node.js project and automatically open tickets for P0 findings
  • Use Semgrep to detect hardcoded secrets and trigger rotation workflow for exposed credentials
  • Schedule weekly dependency scans for a Python microservice and triage results into the backlog
  • Scan container images for CVEs before deployment and block images with high/critical vulnerabilities
  • Combine SAST and DAST for a web app to catch both code-level and runtime security issues

FAQ

How do you decide what to fix first?

Prioritize by exploitability and impact: fix critical, exploitable issues immediately; plan high severity in the current sprint; schedule medium/low in the backlog after assessing risk.

How do you reduce false positives?

Validate findings by confirming reachable code paths, reviewing proof-of-concept details, and cross-checking multiple scanners; mark and document false positives to tune rules.