playbooks

home / skills / willsigmon / sigstack / security-scanning-expert

security-scanning-expert skill

/plugins/testing/skills/security-scanning-expert

This skill helps integrate SAST, DAST, SCA, and IaC security scans into your CI/CD, enabling fast remediation of vulnerabilities.

npx playbooks add skill willsigmon/sigstack --skill security-scanning-expert

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.1 KB
---
name: Security Scanning Expert
description: DevSecOps security scanning - SAST, DAST, SCA, container scanning, AI remediation
allowed-tools: Read, Edit, Bash, WebFetch
model: sonnet
---

# Security Scanning Expert

Integrate security scanning into your development workflow.

## Scan Types

### SAST (Static Analysis)
- Scans source code
- Finds bugs before runtime
- Tools: Semgrep, CodeQL, SonarQube

### DAST (Dynamic Analysis)
- Tests running applications
- Finds runtime vulnerabilities
- Tools: OWASP ZAP, Nuclei

### SCA (Software Composition)
- Scans dependencies
- Finds known CVEs
- Tools: Snyk, Dependabot, Trivy

### IaC Security
- Scans Terraform/K8s configs
- Prevents misconfigurations
- Tools: Checkov, tfsec

## Top Tools (2026)

### GitLab Ultimate
- All-in-one DevSecOps
- Built-in SAST, DAST, SCA
- Secret detection
- Enterprise pricing

### Trivy (Free)
```bash
# Scan container
trivy image myapp:latest

# Scan filesystem
trivy fs .

# Scan Terraform
trivy config ./terraform
```

### OWASP ZAP (Free)
```bash
# Quick scan
zap-cli quick-scan http://localhost:3000

# Full scan in CI
docker run -t ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py -t http://app:3000
```

### Semgrep
```bash
# Install
pip install semgrep

# Run with auto rules
semgrep --config=auto .

# Custom rule
semgrep --config=p/security-audit .
```

## GitHub Integration

### Dependabot
```yaml
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
```

### CodeQL
```yaml
# .github/workflows/codeql.yml
- uses: github/codeql-action/init@v3
  with:
    languages: javascript, typescript
- uses: github/codeql-action/analyze@v3
```

## AI-Powered Remediation (2026)
- Plexicus: AI writes fixes for scanner findings
- GitHub Copilot: Suggests secure alternatives
- SonarQube AI: Explains vulnerabilities

## Priority Order
1. Secrets detection (immediate)
2. Critical CVEs (1 day)
3. High-severity SAST (1 week)
4. Medium-severity (sprint)

Use when: CI/CD security, vulnerability scanning, compliance requirements

Overview

This skill helps teams integrate automated security scanning into CI/CD and development workflows. It covers SAST, DAST, SCA, IaC checks, container scanning, and AI-assisted remediation to reduce time-to-fix. The guidance is tool-agnostic and focused on practical setup, prioritization, and continuous enforcement.

How this skill works

The skill inspects code, running apps, dependency manifests, infrastructure-as-code, and container images to surface secrets, CVEs, misconfigurations, and code-level vulnerabilities. It recommends scanner selection, CI integration snippets, and an operational priority order so teams can triage findings and automate fixes with AI where safe. It also includes minimal command examples and GitHub workflow templates for quick adoption.

When to use it

  • When adding security gates to CI/CD pipelines for pull requests and merges
  • Before releasing containers or infrastructure changes to production
  • When you need automated dependency vulnerability monitoring and PRs
  • To detect secrets and urgent critical CVEs early in the cycle
  • When you want to pilot AI-assisted remediation to speed triage

Best practices

  • Start with secrets detection and immediate blocking rules in CI
  • Enforce SCA for all repos and schedule weekly dependency updates
  • Run SAST at PR time; run DAST against test/staging environments
  • Scan IaC (Terraform/K8s) before applying changes; fail fast on misconfigs
  • Triage by priority: block critical CVEs immediately, fix high SAST within a sprint
  • Use AI remediation as an assist, not an automatic merge; require human review

Example use cases

  • Integrate Semgrep or CodeQL to scan TypeScript PRs and surface high-severity issues early
  • Run Trivy in your CI to scan container images and Terraform configs before deploy
  • Use OWASP ZAP in nightly pipelines against staging to catch runtime flaws
  • Enable Dependabot or Snyk to open dependency update PRs and automate triage
  • Pilot an AI fixer (e.g., Plexicus) to generate candidate patches for routine findings

FAQ

Which scanners should I run in CI for fastest feedback?

Run lightweight SAST (Semgrep) and SCA (Trivy/Dependabot) at PR time, and schedule deeper SAST/DAST scans on merge or nightly pipelines.

Can AI fixes be trusted to merge automatically?

No. AI can produce useful candidate fixes, but require human review, tests, and security validation before merging to avoid introducing regressions.