playbooks

home / skills / physics91 / claude-vibe / security-scanner

security-scanner skill

/skills/security-scanner

This skill detects OWASP-based vulnerabilities in web apps, highlighting XSS, secrets, and auth issues to prioritize remediation.

npx playbooks add skill physics91/claude-vibe --skill security-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.4 KB
---
name: security-scanner
description: |
  WHEN: Security scan, vulnerability detection, XSS/CSRF analysis, secret exposure, OWASP Top 10
  WHAT: XSS/injection detection + hardcoded secrets + auth/authz issues + severity-based vulnerability list
  WHEN NOT: Performance → perf-analyzer, Cloud security → cloud-security-expert
---

# Security Scanner Skill

## Purpose
Detects web application security vulnerabilities based on OWASP Top 10: XSS, hardcoded secrets, authentication issues.

## When to Use
- Security scan requests
- XSS, CSRF, injection mentions
- Pre-production security review
- Auth/authz code review

## Workflow

### Step 1: Scan Scope
**AskUserQuestion:**
```
"Select scan scope"
Options:
- Frontend only
- Include API/backend
- Full project
- Specific file/folder
```

### Step 2: Vulnerability Categories
**AskUserQuestion:**
```
"Select vulnerability types"
Options:
- Full security scan (recommended)
- XSS (Cross-Site Scripting)
- Secrets/API key exposure
- Auth/authz issues
- Dependency vulnerabilities
multiSelect: true
```

## Security Rules

### OWASP Top 10
| Rank | Vulnerability | Check | Severity |
|------|---------------|-------|----------|
| A01 | Broken Access Control | Auth bypass | CRITICAL |
| A02 | Cryptographic Failures | Plaintext, weak crypto | CRITICAL |
| A03 | Injection | SQL, NoSQL, XSS | CRITICAL |
| A05 | Security Misconfiguration | CORS, headers | HIGH |
| A07 | Auth Failures | Weak passwords, sessions | CRITICAL |

### XSS Detection
```typescript
// CRITICAL: React dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{ __html: userInput }} />
// Fix: Use DOMPurify.sanitize(userInput)

// HIGH: innerHTML direct use
element.innerHTML = userInput
// Fix: Use textContent or sanitize

// CRITICAL: eval or Function constructor
eval(userCode)
new Function(userCode)()
// Fix: Never use
```

### Secret Exposure
```typescript
// CRITICAL: Hardcoded API key
const API_KEY = 'sk-1234567890abcdef'

// Patterns detected:
// - API keys: /[a-zA-Z0-9_-]{20,}/
// - AWS keys: /AKIA[0-9A-Z]{16}/
// - JWT: /eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+/

// Fix: Use environment variables
headers: { 'X-API-Key': process.env.NEXT_PUBLIC_API_KEY }
```

### Auth/Authz Issues
```typescript
// HIGH: Token in localStorage
localStorage.setItem('authToken', token)
// Fix: Use httpOnly cookies

// HIGH: Missing authorization check
async function deleteUser(userId) {
  await db.users.delete(userId) // No auth check
}
// Fix: Add authorization
if (!currentUser.isAdmin) throw new ForbiddenError()
```

### Unsafe Data Handling
```typescript
// HIGH: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`
// Fix: Parameterized query
const query = 'SELECT * FROM users WHERE id = $1'

// HIGH: Path traversal
const filePath = path.join(baseDir, userInput)
// Fix: Validate path
if (!safePath.startsWith(baseDir)) throw new Error()
```

### Next.js/React Security
```typescript
// HIGH: Server Action without validation
'use server'
async function updateProfile(formData) {
  const name = formData.get('name')
  await db.users.update({ name }) // No validation
}
// Fix: Use zod validation
const schema = z.object({ name: z.string().min(1).max(100) })
```

## Response Template
```
## Security Scan Results

**Project**: [name]
**Files Scanned**: X

### CRITICAL (Immediate action)

#### 1. [A03] XSS Vulnerability
**File**: `src/components/Comment.tsx:45`
**Code**:
\`\`\`tsx
<div dangerouslySetInnerHTML={{ __html: comment.body }} />
\`\`\`
**Risk**: User input rendered without sanitization
**Fix**:
\`\`\`tsx
import DOMPurify from 'dompurify'
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(comment.body) }} />
\`\`\`

### HIGH | MEDIUM | LOW
...

### Summary
| Severity | Count |
|----------|-------|
| CRITICAL | 2 |
| HIGH | 3 |
| MEDIUM | 5 |

### Actions
1. [ ] Install DOMPurify: `npm install dompurify`
2. [ ] Move API keys to .env
3. [ ] Use httpOnly cookies instead of localStorage
```

## Best Practices
1. **Least Privilege**: Grant only necessary permissions
2. **Defense in Depth**: Validate at multiple layers
3. **Input Validation**: Validate all user input
4. **Output Encoding**: Context-appropriate encoding
5. **Secret Management**: Use env vars or secret managers

## Integration
- `code-reviewer` skill
- `nextjs-reviewer` skill
- `/analyze-code` command

## Notes
- Static analysis may have false positives
- Runtime security testing needs separate tools
- Sensitive files (.env, credentials) excluded from scan

Overview

This skill performs automated security scans focused on web application risks, prioritizing OWASP Top 10 issues like XSS, injection, broken access control, and hardcoded secrets. It returns a severity-ranked list of findings with concrete reproduction snippets and recommended fixes. Use it to surface immediate code-level risks before deployment or during code review cycles.

How this skill works

The scanner analyzes selected scope (frontend, backend, full project, or specific paths) and runs pattern and AST checks for XSS, injection, secret literals, auth/authz gaps, unsafe data handling, and common framework pitfalls (React/Next.js). Results are grouped by severity (CRITICAL, HIGH, MEDIUM, LOW) and include file locations, vulnerable code excerpts, risk descriptions, and prescriptive fixes. It flags likely false positives and recommends follow-up runtime testing where needed.

When to use it

  • Pre-production security review or pull-request checks
  • When you suspect XSS, CSRF, injection, or auth issues
  • Finding hardcoded API keys, JWTs, or leaked secrets
  • Automating security checks in CI before merge
  • Codebase audits for OWASP Top 10 coverage

Best practices

  • Scan an explicit scope and include backend APIs for complete coverage
  • Prefer the full security scan option when possible; multi-select specific checks for focused runs
  • Treat CRITICAL findings as immediate remediation tasks and create tracked issues
  • Combine static findings with runtime tests to reduce false positives
  • Use environment variables or a secrets manager; avoid committing keys to code

Example use cases

  • CI job that runs a full security scan on pull requests and blocks merges on CRITICAL issues
  • Developer runs a focused XSS+secrets scan on frontend code before release
  • Security review of auth flows to detect missing authorization checks and insecure token storage
  • Audit a Next.js app for server-action validation, dangerouslySetInnerHTML, and unsafe innerHTML usage
  • Scan for hardcoded AWS keys, API tokens, and JWTs across the repository

FAQ

Will the scanner find every vulnerability?

No. Static analysis catches many patterns and likely issues but can produce false positives and will miss some runtime or environment-specific vulnerabilities. Complement with dynamic testing.

Can I limit the scan to a folder or file?

Yes. You can select frontend only, include backend, full project, or a specific file/folder to reduce noise and speed up scans.

How are severities determined?

Severity maps to OWASP guidance and common risk impact: CRITICAL for auth bypass, injection, or secret leakage; HIGH for unsafe data handling, misconfigurations, or token misuse; MEDIUM/LOW for lower-impact issues.