Security Scan

/security-scan <target-scope or scan instruction>

Arguments are optional. When omitted, scan the entire project. When a file path or category is specified, limit the scan to that scope.

Examples

/security-scan Full project security scan
/security-scan src/features/assignment/
/security-scan Dependency packages only

Output Destination

• Default: Present report in conversation
• File output: output/reports/security/SECURITY_<datetime>.md (when output/ directory exists)
• Tool output: testreport/security/

Integration with Other Skills

Scan Categories

1. Dependency Package Vulnerability Scan (SCA)

Detect dependency packages with known vulnerabilities (CVEs).

# npm standard
npm audit --json > testreport/security/npm-audit.json
npm audit

# More detailed analysis (when installed in the project)
# npx snyk test
# trivy fs --scanners vuln .

Checklist

• Verified vulnerabilities in direct dependencies
• Verified vulnerabilities in transitive dependencies (including devDependencies)
• Checked if CRITICAL/HIGH vulnerabilities have patches available
• Verified if vulnerable packages are included in the production build

Judgment Criteria

2. Static Application Security Testing (SAST)

Statically detect security issues within source code.

Detection Targets (OWASP Top 10 Based)

Grep-Based Simple Detection

When tools are not installed, search source code for patterns matching OWASP CWE patterns:

• CWE-79 (XSS): Unsafe HTML injection APIs (innerHTML, framework-specific raw HTML insertion, etc.)
• CWE-798 (Hardcoded Credentials): password, secret, api_key, token literals in source code
• CWE-95 (Dynamic Code Evaluation): Functions that dynamically generate/execute code from strings

# When security tools are installed
# npx semgrep --config auto src/

Checklist

• Scanned for CWE-79 (XSS) patterns
• Scanned for CWE-798 (Hardcoded Credentials)
• Scanned for CWE-95 (Dynamic Code Evaluation) patterns
• Verified user input validation status
• Covered major OWASP Top 10 categories

3. Dynamic Application Security Testing (DAST)

Perform security scans against a running application.

OWASP ZAP

# OWASP ZAP Docker (Baseline Scan: passive scan, fast)
docker run --rm -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t <TARGET_URL> \
  -J zap-report.json \
  -r zap-report.html

# OWASP ZAP Docker (Full Scan: active scan, detailed)
docker run --rm -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t <TARGET_URL> \
  -J zap-report.json \
  -r zap-report.html

# API Scan (when OpenAPI/Swagger spec exists)
docker run --rm -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t <OPENAPI_SPEC_URL> \
  -f openapi \
  -J zap-api-report.json

Prerequisites

• Docker must be installed
• Target application must be running (dev server or built preview)
• Network access must be available

Scan Mode Selection

Checklist

• Executed scan against the target URL
• Verified security header configuration
• Verified CSP (Content Security Policy) configuration
• Verified cookie attributes (Secure, HttpOnly, SameSite)

4. Secret Detection

Detect sensitive information in source code or Git history.

# gitleaks (scan including Git history)
gitleaks detect --source . --report-path testreport/security/gitleaks.json --report-format json

# gitleaks (staged files only)
gitleaks protect --staged --report-path testreport/security/gitleaks-staged.json

# trufflehog (Git history scan)
trufflehog git file://. --json > testreport/security/trufflehog.json

Detection Targets

• API keys and access tokens
• Passwords and credentials
• Private keys (SSH, PGP)
• Database connection strings
• Cloud provider credentials (AWS, GCP, Azure)
• Committed .env files

5. Security Header & Configuration Analysis

Verify security of HTTP response headers and application configuration.

Required Headers

Scan Workflow

1. Scope Confirmation — Confirm scan target (entire / specific category / specific file)
2. Environment Check — Verify installation status of required tools
3. Tool Execution — Run scan tools by category
4. Results Analysis — Analyze scan results and identify false positives
5. 🚏 Report Gate — Output structured report

Tool Availability Handling

When scan tools are not installed:

1. Present installation instructions (wait for user's decision)
2. Perform simplified scanning within the achievable scope without tools (Grep-based search, npm audit)
3. Document the limitations of the simplified scan

Output Contract

Section Definitions

Severity Definitions

Finding Description Format

- [ ] **[Severity]** `Detection location` Vulnerability overview.
  **CVE/CWE**: Document when applicable.
  **Impact**: Specific impact if exploited.
  **Fix Suggestion**: Specific remediation method.
  **Fix Difficulty**: Low / Medium / High.
  **False Positive Possibility**: Yes / No (state rationale when Yes).

Vocabulary Constraints

Structural Constraints

• Include CVE/CWE numbers in findings wherever possible
• Fix suggestions must be specific code changes or commands
• State rationale for false positive determinations
• Always record the version of tools used for scanning

Report Format

# Security Scan Report: [Target Overview]

## Disclaimer
This report is reference information based on automated tools and is not a substitute
for comprehensive security assessment. Security specialist review is recommended for critical systems.

## Scan Overview
- Scan Date: YYYY-MM-DD HH:MM
- Target: [Application name/URL/Repository]
- Scan Scope: SCA / SAST / DAST / Secret Detection / Header Analysis
- Tools Used:
  - [Tool name vX.X.X] (Target category)

## Executive Summary
- Findings: CRITICAL X / HIGH Y / MEDIUM Z / LOW W / INFO V
- Overall Risk Assessment: High / Medium / Low
- Items Requiring Immediate Response: X

## Findings

### CRITICAL (Immediate Response)
- [ ] **[CRITICAL]** `Detection location` Vulnerability overview.
  **CVE/CWE**: CVE-XXXX-XXXXX / CWE-XXX.
  **Impact**: Impact description.
  **Fix Suggestion**: Remediation method.
  **Fix Difficulty**: Low / Medium / High.

### HIGH (Within 1 Week)
(Same format as above)

### MEDIUM (Before Next Release)
(Same format as above)

### LOW (Planned Response)
(Same format as above)

### INFO (Reference)
(Same format as above)

## Dependency Package Summary

| Package | Current Version | Vulnerability | Severity | Fix Version | Production Impact |
| ------- | --------------- | ------------- | -------- | ----------- | ----------------- |
| [Name] | [ver] | CVE-XXXX | HIGH | [ver] | Yes / No |

## DAST Results Summary

| Alert | Risk | Count | CWE | Example URL |
| ----- | ---- | ----- | --- | ----------- |
| [Alert name] | High/Medium/Low | X | CWE-XXX | /path |

## Recommended Actions
1. **[Severity]** [Action description] (Fix Difficulty: Low/Medium/High)
2. ...

## Next Scan Recommendations
- [Suggestions for additional tools and scan scope]
- Recommended Scan Frequency: [Daily / Weekly / Pre-release]

Tool Installation Guide

Minimum setup: npm audit (no additional installation required). Recommended setup: gitleaks + OWASP ZAP + semgrep.

# gitleaks (Secret Detection)
# https://github.com/gitleaks/gitleaks#installing
brew install gitleaks  # macOS
# Or download binary from GitHub Releases

# OWASP ZAP (DAST)
# Use via Docker (no installation needed)
# docker run --rm ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t <URL>

# semgrep (SAST)
# https://semgrep.dev/docs/getting-started/
pip install semgrep
# Or brew install semgrep

Prohibited Actions

• Modifying source code (including test files)
• Running active scans against production environments (development/staging only)
• Installing scan tools without user confirmation
• Underestimating vulnerability information (when uncertain, rate higher)
• Transcribing detected sensitive information into the report (mask it)
• Definitively stating "no issues" (use "no detections within scan scope")