Claude Code Plugins

Community-maintained marketplace

Feedback

security-scanner

@matteocervelli/llms
2
0

Scan codebase for security vulnerabilities including secrets, insecure

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-scanner
description Scan codebase for security vulnerabilities including secrets, insecure dependencies, and unsafe code patterns. Use when performing automated security scans.
allowed-tools Read, Grep, Glob, Bash

Security Scanner Skill

Purpose

This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.

When to Use

  • Starting security assessment of a codebase
  • Pre-commit security checks
  • CI/CD pipeline security validation
  • Dependency vulnerability scanning
  • Secret detection in code
  • Static security analysis

Scanning Workflow

1. Secret Detection

Scan for Hardcoded Secrets:

# Using grep patterns for common secrets
grep -r -i "password\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "api_key\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "secret\s*=\s*['\"]" src/ --include="*.py" --include="*.js"
grep -r -i "token\s*=\s*['\"]" src/ --include="*.py" --include="*.js"

# AWS credentials
grep -r "AKIA[0-9A-Z]{16}" src/
grep -r "aws_secret_access_key" src/

# Private keys
grep -r "BEGIN.*PRIVATE KEY" src/

# Database connection strings
grep -r "postgresql://.*:.*@" src/
grep -r "mysql://.*:.*@" src/
grep -r "mongodb://.*:.*@" src/

Use Dedicated Secret Scanners:

# Gitleaks (if available)
gitleaks detect --source . --report-format json --report-path gitleaks-report.json

# Trufflehog (if available)
trufflehog filesystem . --json > trufflehog-report.json

# Git-secrets (if available)
git secrets --scan

Secrets to Look For:

  • API keys (AWS, Google Cloud, Azure, etc.)
  • Database passwords
  • Authentication tokens
  • Private keys (SSH, TLS, etc.)
  • OAuth secrets
  • Encryption keys
  • Service account credentials
  • Third-party service keys (Stripe, Twilio, etc.)

Deliverable: List of files containing potential secrets with line numbers

2. Dependency Vulnerability Scanning

Python Dependencies:

# Using pip-audit (recommended)
pip-audit --desc --format json > pip-audit-report.json

# Using safety
safety check --json > safety-report.json

# Check for outdated packages
pip list --outdated --format json

Node.js Dependencies:

# NPM audit
npm audit --json > npm-audit-report.json

# Yarn audit
yarn audit --json > yarn-audit-report.json

General Container/Filesystem Scanning:

# Trivy (multi-language)
trivy filesystem . --format json --output trivy-report.json

# Check specific files
trivy filesystem requirements.txt
trivy filesystem package.json

Dependency Checks:

  • Known CVEs in dependencies
  • Outdated packages with security patches
  • Unmaintained packages
  • License compliance issues
  • Transitive dependency vulnerabilities

Deliverable: Vulnerability report with CVE IDs, severity scores, and affected packages

3. Insecure Code Pattern Detection

SQL Injection Vulnerabilities:

# Python - Look for string concatenation in SQL queries
grep -r "execute.*%.*" src/ --include="*.py"
grep -r "execute.*\+.*" src/ --include="*.py"
grep -r "cursor.execute.*format" src/ --include="*.py"

# Look for string formatting in SQL
grep -r "SELECT.*{" src/ --include="*.py"
grep -r "INSERT.*{" src/ --include="*.py"
grep -r "UPDATE.*{" src/ --include="*.py"
grep -r "DELETE.*{" src/ --include="*.py"

Command Injection:

# Python - subprocess with shell=True
grep -r "subprocess.*shell=True" src/ --include="*.py"
grep -r "os.system" src/ --include="*.py"
grep -r "os.popen" src/ --include="*.py"

# Node.js - child_process exec
grep -r "child_process.*exec" src/ --include="*.js"
grep -r "\.exec(" src/ --include="*.js"

Path Traversal:

# Unsanitized file paths
grep -r "open(.*request\." src/ --include="*.py"
grep -r "os.path.join(.*request\." src/ --include="*.py"
grep -r "readFile(.*req\." src/ --include="*.js"

Insecure Deserialization:

# Python pickle
grep -r "pickle.loads" src/ --include="*.py"
grep -r "cPickle.loads" src/ --include="*.py"

# YAML load (unsafe)
grep -r "yaml.load(" src/ --include="*.py"

# Node.js eval
grep -r "eval(" src/ --include="*.js"

Cross-Site Scripting (XSS):

# HTML rendering without escaping
grep -r "\.innerHTML" src/ --include="*.js" --include="*.jsx"
grep -r "dangerouslySetInnerHTML" src/ --include="*.jsx" --include="*.tsx"

# Python templates without autoescape
grep -r "autoescape=False" src/ --include="*.py"

Weak Cryptography:

# MD5, SHA1 usage
grep -r "hashlib.md5" src/ --include="*.py"
grep -r "hashlib.sha1" src/ --include="*.py"
grep -r "crypto.createHash('md5')" src/ --include="*.js"

# Weak random
grep -r "random.random(" src/ --include="*.py"
grep -r "Math.random(" src/ --include="*.js"

Deliverable: List of insecure code patterns with file locations and severity

4. Authentication & Authorization Issues

Missing Authentication:

# Python Flask routes without auth decorators
grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"

# Express routes without middleware
grep -r "app.get\|app.post" src/ --include="*.js" -A 1

Hardcoded Credentials:

# Default passwords
grep -r "password.*=.*['\"]admin['\"]" src/
grep -r "password.*=.*['\"]password['\"]" src/
grep -r "password.*=.*['\"]123456['\"]" src/

# Default tokens
grep -r "token.*=.*['\"]test['\"]" src/

Session Management:

# Insecure session configuration
grep -r "SESSION_COOKIE_SECURE.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_HTTPONLY.*False" src/ --include="*.py"
grep -r "SESSION_COOKIE_SAMESITE.*None" src/ --include="*.py"

Deliverable: Authentication and authorization gaps with recommendations

5. Static Analysis with Automated Tools

Python - Bandit:

# Run bandit for Python security issues
bandit -r src/ -f json -o bandit-report.json

# With specific tests
bandit -r src/ -f json --severity-level medium

# Show only high severity
bandit -r src/ -ll

Multi-language - Semgrep:

# Auto-detect and scan
semgrep --config=auto . --json > semgrep-report.json

# OWASP Top 10 rules
semgrep --config=p/owasp-top-ten . --json

# Security audit
semgrep --config=p/security-audit . --json

# Python-specific
semgrep --config=p/python . --json

JavaScript - ESLint Security:

# With security plugin
eslint src/ --format json > eslint-report.json

# With security-specific rules
eslint src/ --plugin security --format json

Deliverable: Automated tool reports with findings categorized by severity

6. Configuration Security

Environment Files:

# Check for committed .env files
find . -name ".env" -o -name ".env.*" | grep -v ".env.example"

# Check .gitignore
grep -q "\.env" .gitignore || echo "WARNING: .env not in .gitignore"

Security Headers:

# Check for security header configuration
grep -r "X-Frame-Options" src/ config/
grep -r "Content-Security-Policy" src/ config/
grep -r "X-Content-Type-Options" src/ config/
grep -r "Strict-Transport-Security" src/ config/

CORS Configuration:

# Overly permissive CORS
grep -r "Access-Control-Allow-Origin.*\*" src/ config/
grep -r "cors().*origin:.*\*" src/ --include="*.js"

Deliverable: Configuration security issues and recommendations

Scanning Output Format

Create a security scan report:

# Security Scan Report

**Date**: [YYYY-MM-DD]
**Scan Scope**: [path/to/code]
**Scanner Version**: [tool versions]

## Summary

- **Critical Issues**: [count]
- **High Issues**: [count]
- **Medium Issues**: [count]
- **Low Issues**: [count]
- **Informational**: [count]

## Critical Issues

### [Issue Title]

**File**: [path/to/file:line]
**Category**: [Secret/Injection/etc.]
**Severity**: Critical

**Description**: [What was found]

**Evidence**:

[code snippet]


**Recommendation**: [How to fix]

---

## High Issues

[Similar format]

## Medium Issues

[Similar format]

## Low Issues

[Similar format]

## Tool Reports

### Dependency Scan (pip-audit)
- Vulnerable packages: [count]
- CVEs found: [list]

### Secret Detection (gitleaks)
- Secrets found: [count]
- Types: [API keys, passwords, etc.]

### Static Analysis (bandit)
- Issues found: [count]
- Most common: [issue type]

## Recommendations

### Immediate Actions (Critical/High)
1. [Action 1]
2. [Action 2]

### Short-term (Medium)
1. [Action 1]

### Long-term (Low)
1. [Action 1]

## False Positives

[List any false positives to ignore in future scans]

Best Practices

Secret Scanning:

  • Always scan before committing code
  • Check git history for past secrets
  • Use pre-commit hooks for automated scanning
  • Never commit .env files
  • Use secret management tools (Vault, AWS Secrets Manager)

Dependency Scanning:

  • Scan before adding new dependencies
  • Keep dependencies updated
  • Monitor for new vulnerabilities
  • Use lock files (requirements.txt, package-lock.json)
  • Consider dependency pinning

Code Pattern Detection:

  • Focus on user input handling
  • Check all database queries
  • Review file operations
  • Validate all external inputs
  • Sanitize all outputs

Automated Tools:

  • Run multiple tools for better coverage
  • Configure tools with project-specific rules
  • Integrate into CI/CD pipeline
  • Review and triage findings
  • Track false positives

Supporting Scripts

Quick Scan Script (scripts/quick-security-scan.sh):

#!/bin/bash
# Quick security scan

echo "Running security scans..."

# Secret detection
echo "1. Scanning for secrets..."
gitleaks detect --no-git || echo "Gitleaks not available"

# Dependency check
echo "2. Checking dependencies..."
if [ -f requirements.txt ]; then
    pip-audit || echo "pip-audit not available"
fi

# Static analysis
echo "3. Running static analysis..."
if [ -d src ]; then
    bandit -r src/ -ll || echo "Bandit not available"
fi

echo "Scan complete!"

Integration with Security Assessment

Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis

Tools Installation

Python Security Tools:

pip install pip-audit safety bandit

Secret Scanners:

# Gitleaks (via binary release)
# See: https://github.com/gitleaks/gitleaks/releases

# Trufflehog
pip install truffleHog

Multi-language:

# Semgrep
pip install semgrep

# Trivy (via binary release)
# See: https://github.com/aquasecurity/trivy/releases

Scan Frequency

  • Pre-commit: Secret detection
  • Daily: Dependency scanning
  • Weekly: Full static analysis
  • Before PR: Complete security scan
  • Before release: Comprehensive assessment

Remember

  • Automate everything: Use tools, don't scan manually
  • Multiple tools: Each catches different issues
  • Triage findings: Not all findings are exploitable
  • Fix high severity first: Prioritize by risk
  • Track over time: Monitor security trends
  • Update tools: Keep scanners current
  • Document exceptions: Log false positives

Your goal is to identify security issues early and comprehensively through automated scanning.