Security-focused source code review and SAST. Scans for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in third-party dependencies/packages, hardcoded secrets, malicious code, and insecure patterns. Use when given source code, a repo path, or asked to "audit", "scan", "review" code security, or "check dependencies for CVEs".
- Languages: ls **/*.{py,js,ts,java,go,rb,php,cs,rs}
- Packages: find package.json, requirements.txt, go.mod, pom.xml, Gemfile, composer.json, Cargo.toml
- Entry points: main(), index.*, app.*, server.*
- Config files: .env*, config.*, settings.*, *.yaml, *.toml
See sast-tools.md for commands per language.
Key tools:
semgrep --config=auto .)bandit -r . -f json)gosec ./...)brakeman -o report.json)gh codeql)See dependency-cve-scanning.md for commands.
| Ecosystem | Command |
|---|---|
| npm/yarn | npm audit --json / yarn audit |
| Python | pip-audit -r requirements.txt |
| Java | dependency-check --scan . |
| Go | govulncheck ./... |
| Ruby | bundle audit |
| Generic | trivy fs . / grype dir:. |
See secrets-detection.md.
trufflehog filesystem . --json
gitleaks detect --source . -v
Focus on high-risk sinks — see manual-review.md:
exec, eval, query, system, popenpickle.loads, ObjectInputStream, unserializeSee malicious-code.md:
See language-patterns.md for Python, JS, Java, Go, PHP, Ruby.
| Severity | CVSS | Examples |
|---|---|---|
| Critical | 9.0+ | RCE, SQLi with exfil, auth bypass |
| High | 7.0-8.9 | Stored XSS, SSRF, insecure deserialization |
| Medium | 4.0-6.9 | Reflected XSS, info disclosure, IDOR |
| Low | 0.1-3.9 | Missing headers, verbose errors |
findings/
<severity>-<vuln-type>-<location>.md # One file per finding
evidence/
<tool>-output.json # Raw tool output
summary-report.md # Executive summary
Each finding: CWE/CVE ID | File:Line | Severity | PoC | Remediation