home / skills / jwynia / agent-skills / security-scan
This skill performs comprehensive security scanning of a TypeScript codebase, detecting OWASP risks, secrets, and misconfigurations to harden your application.
npx playbooks add skill jwynia/agent-skills --skill security-scanReview the files below or copy the command above to add this skill to your agents.
---
name: security-scan
description: Scan code for security vulnerabilities including OWASP Top 10, secrets, and misconfigurations. Use when you need comprehensive security analysis of a codebase.
license: MIT
metadata:
author: jwynia
version: "1.0"
type: utility
mode: evaluative
domain: development
---
# Security Scan
Comprehensive security vulnerability detection for codebases.
## Quick Start
```
/security-scan # Full scan of current directory
/security-scan --scope src/ # Scan specific directory
/security-scan --quick # Fast scan (critical issues only)
/security-scan --focus injection # Focus on specific category
```
## What This Skill Does
Analyzes code for security vulnerabilities across multiple categories:
1. **OWASP Top 10** - Industry-standard web vulnerability categories
2. **Secrets Detection** - Hardcoded credentials, API keys, tokens
3. **Injection Flaws** - SQL, XSS, command injection patterns
4. **Cryptographic Issues** - Weak algorithms, insecure implementations
5. **Configuration Problems** - Insecure defaults, misconfigurations
## Scan Modes
### Full Scan (Default)
Comprehensive analysis of all security categories.
```
/security-scan
```
**Checks performed:**
- All OWASP Top 10 categories
- Secrets and credential detection
- Dependency vulnerabilities (if package files exist)
- Configuration file review
**Duration:** 2-5 minutes depending on codebase size
### Quick Scan
Fast check for critical and high-severity issues only.
```
/security-scan --quick
```
**Checks performed:**
- Critical injection patterns
- Exposed secrets
- Known dangerous functions
**Duration:** Under 1 minute
### Focused Scan
Target specific vulnerability category.
```
/security-scan --focus <category>
```
**Categories:**
- `injection` - SQL, XSS, command injection
- `secrets` - Credentials, API keys, tokens
- `crypto` - Cryptographic weaknesses
- `auth` - Authentication/authorization issues
- `config` - Configuration security
## Output Format
### Severity Levels
| Level | Icon | Meaning | Action Required |
|-------|------|---------|-----------------|
| CRITICAL | `[!]` | Exploitable vulnerability | Immediate fix |
| HIGH | `[H]` | Serious security risk | Fix before deploy |
| MEDIUM | `[M]` | Potential vulnerability | Plan to address |
| LOW | `[L]` | Minor issue or hardening | Consider fixing |
| INFO | `[i]` | Informational finding | Awareness only |
### Finding Format
```
[SEVERITY] CATEGORY: Brief description
File: path/to/file.ext:line
Pattern: What was detected
Risk: Why this is dangerous
Fix: How to remediate
```
### Summary Report
```
SECURITY SCAN RESULTS
=====================
Scope: src/
Files scanned: 127
Duration: 45 seconds
FINDINGS BY SEVERITY
Critical: 2
High: 5
Medium: 12
Low: 8
TOP ISSUES
1. [!] SQL Injection in src/api/users.ts:45
2. [!] Hardcoded AWS key in src/config.ts:12
3. [H] XSS vulnerability in src/components/Comment.tsx:89
...
Run `/security-scan --details` for full report.
```
## OWASP Top 10 Coverage
| # | Category | Detection Approach |
|---|----------|-------------------|
| A01 | Broken Access Control | Authorization pattern analysis |
| A02 | Cryptographic Failures | Weak crypto detection |
| A03 | Injection | Pattern matching + data flow |
| A04 | Insecure Design | Security control gaps |
| A05 | Security Misconfiguration | Config file analysis |
| A06 | Vulnerable Components | Dependency scanning |
| A07 | Auth Failures | Auth pattern review |
| A08 | Data Integrity Failures | Deserialization checks |
| A09 | Logging Failures | Audit log analysis |
| A10 | SSRF | Request pattern detection |
See `references/owasp/` for detailed detection rules per category.
## Detection Patterns
### Injection Detection
**SQL Injection:**
```
- String concatenation in queries
- Unsanitized user input in database calls
- Dynamic query construction
```
**Cross-Site Scripting (XSS):**
```
- innerHTML assignments with user data
- document.write() with dynamic content
- Unescaped template interpolation
```
**Command Injection:**
```
- exec(), system(), popen() with user input
- Shell command string construction
- Unsanitized subprocess arguments
```
See `references/patterns/` for language-specific patterns.
### Secrets Detection
**High-Confidence Patterns:**
```
AWS Access Key: AKIA[0-9A-Z]{16}
AWS Secret Key: [A-Za-z0-9/+=]{40}
GitHub Token: gh[pousr]_[A-Za-z0-9]{36,}
Stripe Key: sk_live_[A-Za-z0-9]{24,}
Private Key: -----BEGIN (RSA |EC )?PRIVATE KEY-----
```
**Medium-Confidence Patterns:**
```
Generic API Key: api[_-]?key.*[=:]\s*['"][a-zA-Z0-9]{16,}
Password in Code: password\s*[=:]\s*['"][^'"]+['"]
Connection String: (mysql|postgres|mongodb)://[^:]+:[^@]+@
```
### Cryptographic Weaknesses
**Weak Algorithms:**
```
- MD5 for password hashing
- SHA1 for security purposes
- DES/3DES encryption
- RC4 stream cipher
```
**Implementation Issues:**
```
- Hardcoded encryption keys
- Weak random number generation
- Missing salt in password hashing
- ECB mode encryption
```
## Integration with Other Skills
### With `/secrets-scan`
Focused deep-dive on credential detection:
```
/secrets-scan # Dedicated secrets analysis
/secrets-scan --entropy # High-entropy string detection
```
### With `/dependency-scan`
Package vulnerability analysis:
```
/dependency-scan # Check all dependencies
/dependency-scan --fix # Auto-fix where possible
```
### With `/config-scan`
Infrastructure and configuration review:
```
/config-scan # All config files
/config-scan --docker # Container security
/config-scan --iac # Infrastructure as Code
```
## Scan Execution Protocol
### Phase 1: Discovery
```
1. Identify project type (languages, frameworks)
2. Locate relevant files (source, config, dependencies)
3. Determine applicable security rules
```
### Phase 2: Static Analysis
```
1. Pattern matching for known vulnerabilities
2. Data flow analysis for injection paths
3. Configuration review
```
### Phase 3: Secrets Scanning
```
1. High-confidence pattern matching
2. Entropy analysis for potential secrets
3. Git history check (optional)
```
### Phase 4: Dependency Analysis
```
1. Parse package manifests
2. Check against vulnerability databases
3. Identify outdated packages
```
### Phase 5: Reporting
```
1. Deduplicate findings
2. Assign severity scores
3. Generate actionable report
4. Provide remediation guidance
```
## Configuration
### Project-Level Config
Create `.security-scan.yaml` in project root:
```yaml
# Scan configuration
scan:
exclude:
- "node_modules/**"
- "vendor/**"
- "**/*.test.ts"
- "**/__mocks__/**"
# Severity thresholds
thresholds:
fail_on: critical # critical, high, medium, low
warn_on: medium
# Category toggles
categories:
injection: true
secrets: true
crypto: true
auth: true
config: true
dependencies: true
# Custom patterns
patterns:
secrets:
- name: "Internal API Key"
pattern: "INTERNAL_[A-Z]{3}_KEY_[a-zA-Z0-9]{32}"
severity: high
```
### Ignore Patterns
Create `.security-scan-ignore` for false positives:
```
# Ignore specific files
src/test/fixtures/mock-credentials.ts
# Ignore specific lines (use inline comment)
# security-scan-ignore: test fixture
const mockApiKey = "sk_test_fake123";
```
## Command Reference
| Command | Description |
|---------|-------------|
| `/security-scan` | Full security scan |
| `/security-scan --quick` | Critical issues only |
| `/security-scan --scope <path>` | Scan specific path |
| `/security-scan --focus <cat>` | Single category |
| `/security-scan --details` | Verbose output |
| `/security-scan --json` | JSON output |
| `/security-scan --fix` | Auto-fix where possible |
## Related Skills
- `/secrets-scan` - Deep secrets detection
- `/dependency-scan` - Package vulnerability analysis
- `/config-scan` - Configuration security review
- `/review-code` - General code review (includes security)
## References
- `references/owasp/` - OWASP Top 10 detection details
- `references/patterns/` - Language-specific vulnerability patterns
- `references/remediation/` - Fix guidance by vulnerability type
- `assets/severity-matrix.md` - Severity scoring criteria
This skill scans codebases for security vulnerabilities, covering OWASP Top 10 categories, secrets, injection flaws, cryptographic weaknesses, and misconfigurations. It provides fast or full scans, focused category scans, and produces actionable findings with severity levels and remediation guidance. Use it to detect exploitable issues before deployment and to harden code during development.
The scanner performs project discovery, static analysis, secrets detection, dependency checks, and configuration review. It matches known insecure patterns, runs data-flow checks for injection paths, applies high-confidence secret regexes and entropy checks, and consults vulnerability databases for dependencies. Results are deduplicated, scored by severity, and emitted in a concise report with file locations, detection patterns, risk explanation, and suggested fixes.
What output formats are available?
The skill supports human-readable reports and machine-friendly JSON output via --json, and a --details option for verbose findings.
How long does a scan take?
Quick scans complete in under a minute for critical checks. Full scans typically take 2–5 minutes depending on codebase size and dependencies.