home / skills / proxiblue / claude-skills / security-scan

security-scan skill

safe

This skill performs comprehensive Magento 2 security auditing, scanning dependencies, configurations, files, code, access controls, and compliance settings to

npx playbooks add skill proxiblue/claude-skills --skill security-scan

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.7 KB

---
name: security-scan
description: Comprehensive Magento 2 security scanning skill that checks for vulnerabilities, misconfigurations, outdated dependencies, security patches, and compliance with security best practices.
---

This skill automates security auditing and vulnerability scanning for Magento 2 applications.

## What This Skill Does

1. **Dependency Vulnerability Scan**
   - Scan composer dependencies for known CVEs
   - Check for outdated Magento core version
   - Identify vulnerable third-party modules
   - Review security patch status
   - Validate PHP version security support

2. **Configuration Security Audit**
   - Admin panel security settings
   - Two-factor authentication status
   - Session configuration and timeout
   - Cookie security settings
   - HTTPS enforcement validation
   - Secret key usage in admin URLs

3. **File System Security**
   - File and directory permissions (should be 644/755)
   - Sensitive file exposure checks (.git, .env, etc.)
   - var/log accessibility
   - pub/media upload validation
   - Validate restricted file extensions

4. **Code Security Analysis**
   - SQL injection vulnerability scan
   - XSS prevention validation (escaper usage)
   - CSRF protection (form key validation)
   - Input validation and sanitization
   - Insecure deserialization checks
   - Hardcoded credentials detection

5. **Access Control Validation**
   - Admin user audit (strong passwords, MFA)
   - Role and permission configuration
   - API authentication security
   - Customer password policy
   - Failed login attempt monitoring

6. **Compliance Checks**
   - PCI DSS configuration validation
   - GDPR compliance settings
   - Security headers (CSP, HSTS, X-Frame-Options)
   - Cookie consent and privacy settings
   - Data encryption validation

## Security Tools Used

```bash
# Composer security check
composer audit

# Magento security scan
bin/magento security:check:now

# File permission check
find . -type f ! -perm 644 -o -type d ! -perm 755

# Search for potential vulnerabilities
grep -r "eval\|exec\|system\|passthru" app/code/
grep -r "unserialize" app/code/

# Check for exposed sensitive files
curl -I https://example.com/.git/config
curl -I https://example.com/.env
curl -I https://example.com/var/log/system.log
```

## MCP Integration

Uses:
- **filesystem**: File scanning and permission checking
- **magento2-dev**: Configuration validation
- **database**: Security-related configuration queries

## Scan Output

### Risk Classification
- **Critical**: Immediate security threat requiring urgent action
- **High**: Significant vulnerability, prioritize remediation
- **Medium**: Security weakness, schedule fix
- **Low**: Best practice improvement, low risk
- **Info**: Security information, no immediate action needed

### Report Sections
1. **Executive Summary**
   - Overall security score (0-100)
   - Critical findings count
   - Compliance status

2. **Vulnerability Details**
   - CVE IDs and severity
   - Affected components and versions
   - Exploitation difficulty
   - Remediation steps

3. **Configuration Issues**
   - Misconfigured security settings
   - Weak authentication configurations
   - Missing security headers
   - Recommended configurations

4. **Compliance Status**
   - PCI DSS requirements status
   - GDPR compliance gaps
   - Industry best practices adherence

5. **Remediation Plan**
   - Prioritized action items
   - Implementation steps
   - Testing recommendations
   - Validation methods

## When to Use

- Regular security audits (monthly/quarterly)
- Before production deployments
- After installing new modules
- Post-security incident analysis
- Compliance audit preparation
- Customer security requirement validation
- Pre-acquisition due diligence

Overview

This skill automates a comprehensive security audit for Magento 2 installations, producing prioritized findings, configuration checks, and a remediation plan. It identifies vulnerable dependencies, misconfigurations, insecure files, and compliance gaps to give a clear security posture and action list. The report includes a risk-classified score and detailed steps to fix critical issues.

How this skill works

The scanner inspects composer dependencies, Magento core version and installed modules for known CVEs and missing patches, and validates PHP support. It audits configuration (admin settings, HTTPS, cookies, session and MFA), file system permissions and exposed files, code-level risks (SQLi, XSS, CSRF, insecure deserialization, hardcoded secrets), access control and API authentication, and compliance items like PCI DSS and GDPR. Output is a structured report with severity, affected components, remediation steps, and validation guidance.

When to use it

Regular scheduled security audits (monthly or quarterly)
Before deploying to production or releasing updates
After installing or updating third-party modules
Following a suspected or confirmed security incident
During compliance or acquisition due diligence

Best practices

Run scans in a staging environment before production changes
Keep composer packages and Magento core patched and monitor CVE feeds
Harden file permissions (files 644, directories 755) and remove exposed config files from webroot
Enforce MFA for all admin accounts and strong password/lockout policies
Implement automated CI checks for unsafe functions and secrets scanning

Example use cases

Full pre-release security check to prevent regressions and known vulnerabilities
Post-install audit after adding a marketplace extension to spot risky code or permissions
Compliance readiness assessment for PCI DSS or GDPR audits
Incident response triage to enumerate affected components and recommend immediate mitigations
Pre-acquisition security due diligence to summarize risk and remediation cost

FAQ

How long does a typical scan take?

Scan time varies by site size and environment; most scans finish within 10–60 minutes depending on dependency checks and codebase size.

Can I run this against a live production site?

Yes, but run read-only checks and non-invasive scans on production. For deeper code and permission audits, use a staging copy to avoid performance impact.