Security Scanner Skill

安全扫描技能

Purpose

用途

This skill provides automated security scanning of codebases to identify vulnerabilities, hardcoded secrets, insecure dependencies, and unsafe coding patterns.

本技能可对代码库执行自动化安全扫描，识别漏洞、硬编码敏感信息、不安全依赖项以及危险编码模式。

When to Use

适用场景

Starting security assessment of a codebase
Pre-commit security checks
CI/CD pipeline security validation
Dependency vulnerability scanning
Secret detection in code
Static security analysis

启动代码库安全评估时
提交前安全检查
CI/CD 流水线安全验证
依赖项漏洞扫描
代码中的敏感信息检测
静态安全分析

Scanning Workflow

扫描流程

1. Secret Detection

1. 敏感信息检测

Scan for Hardcoded Secrets:

bash

undefined

扫描硬编码敏感信息：

bash

undefined

Using grep patterns for common secrets

使用grep匹配常见敏感信息模式

grep -r -i "password\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "api_key\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "secret\s*=\s*['"]" src/ --include=".py" --include=".js" grep -r -i "token\s*=\s*['"]" src/ --include=".py" --include=".js"

AWS credentials

AWS凭证

grep -r "AKIA[0-9A-Z]{16}" src/ grep -r "aws_secret_access_key" src/

Private keys

私钥

grep -r "BEGIN.*PRIVATE KEY" src/

Database connection strings

数据库连接字符串

grep -r "postgresql://.:.@" src/ grep -r "mysql://.:.@" src/ grep -r "mongodb://.:.@" src/


**Use Dedicated Secret Scanners:**

```bash

grep -r "postgresql://.:.@" src/ grep -r "mysql://.:.@" src/ grep -r "mongodb://.:.@" src/


**使用专用敏感信息扫描工具：**

```bash

Gitleaks (if available)

Gitleaks（若已安装）

gitleaks detect --source . --report-format json --report-path gitleaks-report.json

Trufflehog (if available)

Trufflehog（若已安装）

trufflehog filesystem . --json > trufflehog-report.json

Git-secrets (if available)

Git-secrets（若已安装）

git secrets --scan


**Secrets to Look For:**
- API keys (AWS, Google Cloud, Azure, etc.)
- Database passwords
- Authentication tokens
- Private keys (SSH, TLS, etc.)
- OAuth secrets
- Encryption keys
- Service account credentials
- Third-party service keys (Stripe, Twilio, etc.)

**Deliverable:** List of files containing potential secrets with line numbers

---

git secrets --scan


**需检测的敏感信息类型：**
- API密钥（AWS、Google Cloud、Azure等）
- 数据库密码
- 认证令牌
- 私钥（SSH、TLS等）
- OAuth密钥
- 加密密钥
- 服务账号凭证
- 第三方服务密钥（Stripe、Twilio等）

**交付物：** 包含潜在敏感信息的文件列表及对应行号

---

2. Dependency Vulnerability Scanning

2. 依赖项漏洞扫描

Python Dependencies:

bash

undefined

Python依赖项：

bash

undefined

Using pip-audit (recommended)

使用pip-audit（推荐）

pip-audit --desc --format json > pip-audit-report.json

Using safety

使用safety

safety check --json > safety-report.json

Check for outdated packages

检查过时包

pip list --outdated --format json


**Node.js Dependencies:**

```bash

pip list --outdated --format json


**Node.js依赖项：**

```bash

NPM audit

NPM审计

npm audit --json > npm-audit-report.json

Yarn audit

Yarn审计

yarn audit --json > yarn-audit-report.json


**General Container/Filesystem Scanning:**

```bash

yarn audit --json > yarn-audit-report.json


**通用容器/文件系统扫描：**

```bash

Trivy (multi-language)

Trivy（多语言支持）

trivy filesystem . --format json --output trivy-report.json

Check specific files

检查特定文件

trivy filesystem requirements.txt trivy filesystem package.json


**Dependency Checks:**
- Known CVEs in dependencies
- Outdated packages with security patches
- Unmaintained packages
- License compliance issues
- Transitive dependency vulnerabilities

**Deliverable:** Vulnerability report with CVE IDs, severity scores, and affected packages

---

trivy filesystem requirements.txt trivy filesystem package.json


**依赖项检查内容：**
- 依赖项中的已知CVE漏洞
- 存在安全补丁的过时包
- 无人维护的包
- 许可证合规问题
- 传递性依赖漏洞

**交付物：** 包含CVE编号、风险等级及受影响包的漏洞报告

---

3. Insecure Code Pattern Detection

3. 危险代码模式检测

SQL Injection Vulnerabilities:

bash

undefined

SQL注入漏洞：

bash

undefined

Python - Look for string concatenation in SQL queries

Python - 查找SQL查询中的字符串拼接

grep -r "execute.%." src/ --include=".py" grep -r "execute.+." src/ --include=".py" grep -r "cursor.execute.format" src/ --include=".py"

Look for string formatting in SQL

查找SQL中的字符串格式化

grep -r "SELECT.{" src/ --include=".py" grep -r "INSERT.{" src/ --include=".py" grep -r "UPDATE.{" src/ --include=".py" grep -r "DELETE.{" src/ --include=".py"


**Command Injection:**

```bash

grep -r "SELECT.{" src/ --include=".py" grep -r "INSERT.{" src/ --include=".py" grep -r "UPDATE.{" src/ --include=".py" grep -r "DELETE.{" src/ --include=".py"


**命令注入：**

```bash

Python - subprocess with shell=True

Python - 使用shell=True的subprocess

grep -r "subprocess.shell=True" src/ --include=".py" grep -r "os.system" src/ --include=".py" grep -r "os.popen" src/ --include=".py"

Node.js - child_process exec

grep -r "child_process.exec" src/ --include=".js" grep -r ".exec(" src/ --include="*.js"


**Path Traversal:**

```bash

grep -r "child_process.exec" src/ --include=".js" grep -r ".exec(" src/ --include="*.js"


**路径遍历：**

```bash

Unsanitized file paths

未经过滤的文件路径

grep -r "open(.request." src/ --include=".py" grep -r "os.path.join(.request." src/ --include=".py" grep -r "readFile(.req." src/ --include=".js"


**Insecure Deserialization:**

```bash

grep -r "open(.request." src/ --include=".py" grep -r "os.path.join(.request." src/ --include=".py" grep -r "readFile(.req." src/ --include=".js"


**不安全反序列化：**

```bash

Python pickle

grep -r "pickle.loads" src/ --include=".py" grep -r "cPickle.loads" src/ --include=".py"

YAML load (unsafe)

YAML加载（不安全）

grep -r "yaml.load(" src/ --include="*.py"

Node.js eval

grep -r "eval(" src/ --include="*.js"


**Cross-Site Scripting (XSS):**

```bash

grep -r "eval(" src/ --include="*.js"


**跨站脚本攻击（XSS）：**

```bash

HTML rendering without escaping

未转义的HTML渲染

grep -r ".innerHTML" src/ --include=".js" --include=".jsx" grep -r "dangerouslySetInnerHTML" src/ --include=".jsx" --include=".tsx"

Python templates without autoescape

未自动转义的Python模板

grep -r "autoescape=False" src/ --include="*.py"


**Weak Cryptography:**

```bash

grep -r "autoescape=False" src/ --include="*.py"


**弱加密：**

```bash

MD5, SHA1 usage

MD5、SHA1使用

grep -r "hashlib.md5" src/ --include=".py" grep -r "hashlib.sha1" src/ --include=".py" grep -r "crypto.createHash('md5')" src/ --include="*.js"

Weak random

弱随机数

grep -r "random.random(" src/ --include=".py" grep -r "Math.random(" src/ --include=".js"


**Deliverable:** List of insecure code patterns with file locations and severity

---

grep -r "random.random(" src/ --include=".py" grep -r "Math.random(" src/ --include=".js"


**交付物：** 包含危险代码模式的文件位置及风险等级的列表

---

4. Authentication & Authorization Issues

4. 认证与授权问题检测

Missing Authentication:

bash

undefined

缺失认证机制：

bash

undefined

Python Flask routes without auth decorators

Python Flask路由无认证装饰器

grep -r "@app.route" src/ --include="*.py" -A 1 | grep -v "@login_required" | grep -v "@auth_required"

Express routes without middleware

Express路由无中间件

grep -r "app.get|app.post" src/ --include="*.js" -A 1


**Hardcoded Credentials:**

```bash

grep -r "app.get|app.post" src/ --include="*.js" -A 1


**硬编码凭证：**

```bash

Default passwords

默认密码

grep -r "password.=.['"]admin['"]" src/ grep -r "password.=.['"]password['"]" src/ grep -r "password.=.['"]123456['"]" src/

Default tokens

默认令牌

grep -r "token.=.['"]test['"]" src/


**Session Management:**

```bash

grep -r "token.=.['"]test['"]" src/


**会话管理：**

```bash

Insecure session configuration

不安全的会话配置

grep -r "SESSION_COOKIE_SECURE.False" src/ --include=".py" grep -r "SESSION_COOKIE_HTTPONLY.False" src/ --include=".py" grep -r "SESSION_COOKIE_SAMESITE.None" src/ --include=".py"


**Deliverable:** Authentication and authorization gaps with recommendations

---

grep -r "SESSION_COOKIE_SECURE.False" src/ --include=".py" grep -r "SESSION_COOKIE_HTTPONLY.False" src/ --include=".py" grep -r "SESSION_COOKIE_SAMESITE.None" src/ --include=".py"


**交付物：** 认证与授权漏洞列表及修复建议

---

5. Static Analysis with Automated Tools

5. 自动化工具静态分析

Python - Bandit:

bash

undefined

Python - Bandit：

bash

undefined

Run bandit for Python security issues

运行Bandit检测Python安全问题

bandit -r src/ -f json -o bandit-report.json

With specific tests

指定测试级别

bandit -r src/ -f json --severity-level medium

Show only high severity

仅显示高风险问题

bandit -r src/ -ll


**Multi-language - Semgrep:**

```bash

bandit -r src/ -ll


**多语言 - Semgrep：**

```bash

Auto-detect and scan

自动检测并扫描

semgrep --config=auto . --json > semgrep-report.json

OWASP Top 10 rules

OWASP Top 10规则

semgrep --config=p/owasp-top-ten . --json

Security audit

安全审计

semgrep --config=p/security-audit . --json

Python-specific

Python专属规则

semgrep --config=p/python . --json


**JavaScript - ESLint Security:**

```bash

semgrep --config=p/python . --json


**JavaScript - ESLint Security：**

```bash

With security plugin

使用安全插件

eslint src/ --format json > eslint-report.json

With security-specific rules

使用安全专属规则

eslint src/ --plugin security --format json


**Deliverable:** Automated tool reports with findings categorized by severity

---

eslint src/ --plugin security --format json


**交付物：** 按风险等级分类的自动化工具扫描报告

---

6. Configuration Security

6. 配置安全检查

Environment Files:

bash

undefined

环境文件：

bash

undefined

Check for committed .env files

检查已提交的.env文件

find . -name ".env" -o -name ".env.*" | grep -v ".env.example"

Check .gitignore

检查.gitignore

grep -q ".env" .gitignore || echo "WARNING: .env not in .gitignore"


**Security Headers:**

```bash

grep -q ".env" .gitignore || echo "WARNING: .env not in .gitignore"


**安全头：**

```bash

Check for security header configuration

检查安全头配置

grep -r "X-Frame-Options" src/ config/ grep -r "Content-Security-Policy" src/ config/ grep -r "X-Content-Type-Options" src/ config/ grep -r "Strict-Transport-Security" src/ config/


**CORS Configuration:**

```bash

grep -r "X-Frame-Options" src/ config/ grep -r "Content-Security-Policy" src/ config/ grep -r "X-Content-Type-Options" src/ config/ grep -r "Strict-Transport-Security" src/ config/


**CORS配置：**

```bash

Overly permissive CORS

过度宽松的CORS设置

grep -r "Access-Control-Allow-Origin.*" src/ config/ grep -r "cors().origin:.*" src/ --include=".js"


**Deliverable:** Configuration security issues and recommendations

---

grep -r "Access-Control-Allow-Origin.*" src/ config/ grep -r "cors().origin:.*" src/ --include=".js"


**交付物：** 配置安全问题列表及修复建议

---

Scanning Output Format

扫描输出格式

Create a security scan report:

markdown

undefined

创建安全扫描报告：

markdown

undefined

Security Scan Report

安全扫描报告

Date: [YYYY-MM-DD] Scan Scope: [path/to/code] Scanner Version: [tool versions]

日期：[YYYY-MM-DD] 扫描范围：[path/to/code] 扫描工具版本：[工具版本]

Summary

摘要

Critical Issues: [count]
High Issues: [count]
Medium Issues: [count]
Low Issues: [count]
Informational: [count]

严重问题：[数量]
高风险问题：[数量]
中风险问题：[数量]
低风险问题：[数量]
信息提示：[数量]

Critical Issues

严重问题

[Issue Title]

[问题标题]

File: [path/to/file:line] Category: [Secret/Injection/etc.] Severity: Critical

Description: [What was found]

Evidence:

[code snippet]

Recommendation: [How to fix]

文件：[path/to/file:line] 类别：[敏感信息/注入等] 风险等级：严重

描述：[检测到的内容]

证据：

[代码片段]

修复建议：[修复方案]

High Issues

高风险问题

[Similar format]

[类似格式]

Medium Issues

中风险问题

[Similar format]

[类似格式]

Low Issues

低风险问题

[Similar format]

[类似格式]

Tool Reports

工具报告

Dependency Scan (pip-audit)

依赖项扫描（pip-audit）

Vulnerable packages: [count]
CVEs found: [list]

漏洞包数量：[数量]
检测到的CVE：[列表]

Secret Detection (gitleaks)

敏感信息检测（gitleaks）

Secrets found: [count]
Types: [API keys, passwords, etc.]

敏感信息数量：[数量]
类型：[API密钥、密码等]

Static Analysis (bandit)

静态分析（bandit）

Issues found: [count]
Most common: [issue type]

问题数量：[数量]
最常见类型：[问题类型]

Recommendations

修复建议

Immediate Actions (Critical/High)

立即处理（严重/高风险）

[Action 1]
[Action 2]

[行动1]
[行动2]

Short-term (Medium)

短期处理（中风险）

[Action 1]

[行动1]

Long-term (Low)

长期优化（低风险）

[Action 1]

[行动1]

False Positives

误报

[List any false positives to ignore in future scans]

---

[列出未来扫描可忽略的误报项]

---

Best Practices

最佳实践

Secret Scanning:

Always scan before committing code
Check git history for past secrets
Use pre-commit hooks for automated scanning
Never commit .env files
Use secret management tools (Vault, AWS Secrets Manager)

Dependency Scanning:

Scan before adding new dependencies
Keep dependencies updated
Monitor for new vulnerabilities
Use lock files (requirements.txt, package-lock.json)
Consider dependency pinning

Code Pattern Detection:

Focus on user input handling
Check all database queries
Review file operations
Validate all external inputs
Sanitize all outputs

Automated Tools:

Run multiple tools for better coverage
Configure tools with project-specific rules
Integrate into CI/CD pipeline
Review and triage findings
Track false positives

敏感信息扫描：

提交代码前务必扫描
检查Git历史记录中的过往敏感信息
使用提交前钩子实现自动化扫描
绝对不要提交.env文件
使用敏感信息管理工具（Vault、AWS Secrets Manager）

依赖项扫描：

添加新依赖项前先扫描
保持依赖项更新
监控新出现的漏洞
使用锁定文件（requirements.txt、package-lock.json）
考虑依赖项版本固定

代码模式检测：

重点关注用户输入处理
检查所有数据库查询
审核文件操作逻辑
验证所有外部输入
清理所有输出内容

自动化工具：

运行多个工具以提升覆盖范围
根据项目需求配置工具规则
集成到CI/CD流水线中
审核并分类扫描结果
跟踪误报项

Supporting Scripts

辅助脚本

Quick Scan Script (

scripts/quick-security-scan.sh

):

bash

#!/bin/bash

快速扫描脚本 (

scripts/quick-security-scan.sh

):

bash

#!/bin/bash

Quick security scan

echo "Running security scans..."

Secret detection

echo "1. Scanning for secrets..." gitleaks detect --no-git || echo "Gitleaks not available"

Dependency check

echo "2. Checking dependencies..." if [ -f requirements.txt ]; then pip-audit || echo "pip-audit not available" fi

Static analysis

echo "3. Running static analysis..." if [ -d src ]; then bandit -r src/ -ll || echo "Bandit not available" fi

echo "Scan complete!"

---

echo "3. Running static analysis..." if [ -d src ]; then bandit -r src/ -ll || echo "Bandit not available" fi

echo "Scan complete!"

---

Integration with Security Assessment

与安全评估的集成

Input: Codebase to scan Process: Automated scanning with multiple tools Output: Security scan report with findings Next Step: Vulnerability assessment for detailed analysis

输入：待扫描的代码库流程：使用多工具执行自动化扫描输出：包含扫描结果的安全扫描报告 下一步：漏洞评估以开展详细分析

Tools Installation

工具安装

Python Security Tools:

bash

pip install pip-audit safety bandit

Secret Scanners:

bash

undefined

Python安全工具：

bash

pip install pip-audit safety bandit

敏感信息扫描工具：

bash

undefined

Gitleaks (via binary release)

Gitleaks（通过二进制发布包安装）

See: https://github.com/gitleaks/gitleaks/releases

参考：https://github.com/gitleaks/gitleaks/releases

Trufflehog

pip install truffleHog


**Multi-language:**

```bash

pip install truffleHog


**多语言工具：**

```bash

Semgrep

pip install semgrep

Trivy (via binary release)

Trivy（通过二进制发布包安装）

See: https://github.com/aquasecurity/trivy/releases

参考：https://github.com/aquasecurity/trivy/releases

---

---

Scan Frequency

扫描频率

Pre-commit: Secret detection
Daily: Dependency scanning
Weekly: Full static analysis
Before PR: Complete security scan
Before release: Comprehensive assessment

提交前：敏感信息检测
每日：依赖项扫描
每周：完整静态分析
PR创建前：全面安全扫描
发布前：综合性安全评估

Remember

注意事项

Automate everything: Use tools, don't scan manually
Multiple tools: Each catches different issues
Triage findings: Not all findings are exploitable
Fix high severity first: Prioritize by risk
Track over time: Monitor security trends
Update tools: Keep scanners current
Document exceptions: Log false positives

Your goal is to identify security issues early and comprehensively through automated scanning.

自动化优先：使用工具而非手动扫描
多工具协同：不同工具可检测不同问题
结果分类：并非所有扫描结果都可被利用
优先修复高风险：按风险等级排序处理
长期跟踪：监控安全趋势
工具更新：保持扫描工具为最新版本
例外记录：记录误报项

你的目标是通过自动化扫描尽早且全面地识别安全问题。

security-scanner

Original

Translation

Security Scanner Skill

安全扫描技能

Purpose

用途

When to Use

适用场景

Scanning Workflow

扫描流程

1. Secret Detection

1. 敏感信息检测

Using grep patterns for common secrets

使用grep匹配常见敏感信息模式

AWS credentials

AWS凭证

Private keys

私钥

Database connection strings

数据库连接字符串

Gitleaks (if available)

Gitleaks（若已安装）

Trufflehog (if available)

Trufflehog（若已安装）

Git-secrets (if available)

Git-secrets（若已安装）

2. Dependency Vulnerability Scanning

2. 依赖项漏洞扫描

Using pip-audit (recommended)

使用pip-audit（推荐）

Using safety

使用safety

Check for outdated packages

检查过时包

NPM audit

NPM审计

Yarn audit

Yarn审计

Trivy (multi-language)

Trivy（多语言支持）

Check specific files

检查特定文件

3. Insecure Code Pattern Detection

3. 危险代码模式检测

Python - Look for string concatenation in SQL queries

Python - 查找SQL查询中的字符串拼接

Look for string formatting in SQL

查找SQL中的字符串格式化

Python - subprocess with shell=True

Python - 使用shell=True的subprocess

Node.js - child_process exec

Node.js - child_process exec

Unsanitized file paths

未经过滤的文件路径

Python pickle

Python pickle

YAML load (unsafe)

YAML加载（不安全）

Node.js eval

Node.js eval

HTML rendering without escaping

未转义的HTML渲染

Python templates without autoescape

未自动转义的Python模板

MD5, SHA1 usage

MD5、SHA1使用

Weak random

弱随机数

4. Authentication & Authorization Issues

4. 认证与授权问题检测

Python Flask routes without auth decorators

Python Flask路由无认证装饰器

Express routes without middleware

Express路由无中间件

Default passwords

默认密码

Default tokens

默认令牌

Insecure session configuration