Back to Details

security-scan

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

/security-scan

/security-scan

Deep security analysis of an entire codebase in a single pass.
一次性完成整个代码库的深度安全分析。

Philosophy

理念

Traditional security scanning is file-by-file. It misses cross-file vulnerabilities: data flows from user input through multiple modules to a dangerous sink. With Opus 4.6's 1M token context, we load the entire project and trace attack surfaces end-to-end.
This is NOT a replacement for dedicated SAST/DAST tools. It's a complementary analysis that catches what those tools miss: logic flaws, auth bypasses, business logic vulnerabilities, and cross-module data flow issues.
传统安全扫描是逐文件进行的,会遗漏跨文件漏洞:比如数据从用户输入流经多个模块最终到达危险的输出点。借助Opus 4.6的100万token上下文窗口,我们可以加载整个项目并端到端追踪攻击面。
本工具并非专用SAST/DAST工具的替代品。 它是一种补充分析手段,能够捕捉那些工具遗漏的问题:逻辑缺陷、权限绕过、业务逻辑漏洞以及跨模块数据流问题。

Process

流程

1. Load Full Codebase

1. 加载完整代码库

bash
undefined
bash
undefined

Estimate token count

Estimate token count

find . -name ".ts" -o -name ".tsx" -o -name ".js" -o -name ".jsx" -o -name ".py" -o -name ".go" -o -name ".rs" -o -name ".rb" |
grep -v node_modules | grep -v .next | grep -v dist | grep -v build |
xargs wc -l 2>/dev/null | tail -1

If under ~200K lines: load everything into context via full file reads.
If over: focus on the attack surface (auth, API routes, data access, user input handlers).
find . -name ".ts" -o -name ".tsx" -o -name ".js" -o -name ".jsx" -o -name ".py" -o -name ".go" -o -name ".rs" -o -name ".rb" |
grep -v node_modules | grep -v .next | grep -v dist | grep -v build |
xargs wc -l 2>/dev/null | tail -1

如果代码行数约少于20万行:通过完整读取文件将所有内容加载到上下文中。
如果超过20万行:重点关注攻击面(权限验证、API路由、数据访问、用户输入处理程序)。

2. Map Attack Surface

2. 映射攻击面

Read ALL of these file categories:
  • Entry points: API routes, webhooks, form handlers, CLI commands
  • Auth/authz: Middleware, guards, session management, JWT handling
  • Data access: Database queries, ORM models, raw SQL
  • User input: Form validation, request parsing, file uploads
  • External integrations: API clients, webhook handlers, OAuth flows
  • Secrets management: env var usage, config files, .env patterns
  • Infrastructure: Dockerfile, CI/CD workflows, deployment configs
读取以下所有类别的文件:
  • 入口点:API路由、Webhook、表单处理程序、CLI命令
  • 权限验证/授权:中间件、守卫、会话管理、JWT处理
  • 数据访问:数据库查询、ORM模型、原生SQL
  • 用户输入:表单验证、请求解析、文件上传
  • 外部集成:API客户端、Webhook处理程序、OAuth流程
  • 密钥管理:环境变量使用、配置文件、.env模式
  • 基础设施:Dockerfile、CI/CD工作流、部署配置

3. Vulnerability Analysis

3. 漏洞分析

Spawn 
security-sentinel
agent with the full diff/codebase context. Analyze for:
OWASP Top 10:
  • A01: Broken Access Control — missing auth checks, IDOR, privilege escalation
  • A02: Cryptographic Failures — weak hashing, plaintext secrets, insecure transport
  • A03: Injection — SQL, NoSQL, OS command, LDAP, XSS
  • A04: Insecure Design — business logic flaws, missing rate limiting
  • A05: Security Misconfiguration — default creds, verbose errors, open CORS
  • A06: Vulnerable Components — outdated deps with known CVEs
  • A07: Auth Failures — weak passwords, missing MFA, session issues
  • A08: Software/Data Integrity — unsigned updates, insecure deserialization
  • A09: Logging Failures — missing audit trails, sensitive data in logs
  • A10: SSRF — unvalidated URLs, internal network access
Cross-Module Analysis (unique to 1M context):
  • Trace user input from entry point through all transformations to sink
  • Identify auth bypass paths across middleware chains
  • Find data exposure through API response serialization
  • Detect race conditions in concurrent operations
  • Map trust boundary violations across service calls
启动
security-sentinel
Agent,结合完整的差异/代码库上下文进行分析。分析内容包括:
OWASP Top 10:
  • A01: 访问控制失效 — 缺少权限检查、IDOR、权限提升
  • A02: 加密机制失效 — 弱哈希、明文密钥、不安全传输
  • A03: 注入攻击 — SQL注入、NoSQL注入、操作系统命令注入、LDAP注入、XSS
  • A04: 不安全设计 — 业务逻辑缺陷、缺少速率限制
  • A05: 安全配置错误 — 默认凭据、详细错误信息、开放CORS
  • A06: 易受攻击的组件 — 存在已知CVE的过时依赖项
  • A07: 身份验证失效 — 弱密码、缺少MFA、会话问题
  • A08: 软件/数据完整性问题 — 未签名的更新、不安全的反序列化
  • A09: 日志记录失效 — 缺少审计跟踪、日志中包含敏感数据
  • A10: SSRF — 未验证的URL、内部网络访问
跨模块分析(100万token上下文独有的能力):
  • 追踪用户输入从入口点经过所有转换步骤到达输出点的完整路径
  • 识别中间件链中的权限绕过路径
  • 发现API响应序列化导致的数据泄露
  • 检测并发操作中的竞态条件
  • 映射服务调用中的信任边界违规

4. Dependency Audit

4. 依赖项审计

bash
undefined
bash
undefined

npm/pnpm

npm/pnpm

pnpm audit 2>/dev/null || npm audit 2>/dev/null
pnpm audit 2>/dev/null || npm audit 2>/dev/null

Python

Python

pip-audit 2>/dev/null || safety check 2>/dev/null
pip-audit 2>/dev/null || safety check 2>/dev/null

Go

Go

govulncheck ./... 2>/dev/null
govulncheck ./... 2>/dev/null

Rust

Rust

cargo audit 2>/dev/null
undefined
cargo audit 2>/dev/null
undefined

5. Secrets Scan

5. 密钥扫描

bash
undefined
bash
undefined

Check for hardcoded secrets

Check for hardcoded secrets

grep -rn "sk_live|sk_test|AKIA|password\s*=\s*['"]" --include=".ts" --include=".js" --include=".py" --include=".go" . | grep -v node_modules | grep -v ".env.example"
grep -rn "sk_live|sk_test|AKIA|password\s*=\s*['"]" --include=".ts" --include=".js" --include=".py" --include=".go" . | grep -v node_modules | grep -v ".env.example"

Check .env files not in .gitignore

Check .env files not in .gitignore

git ls-files --cached | grep -i ".env$" | head -5
undefined
git ls-files --cached | grep -i ".env$" | head -5
undefined

Output Format

输出格式

markdown
undefined
markdown
undefined

Security Scan: [project-name]

安全扫描报告: [项目名称]

Scope: [X files, Y lines analyzed] Effort: max Date: [timestamp]
扫描范围: [分析了X个文件,Y行代码] 分析力度: 最大 日期: [时间戳]

Critical (Immediate Fix Required)

严重(需立即修复)

  • file:line
    — [Vulnerability type] — [Description] — [Exploit path]
  • 文件:行号
    — [漏洞类型] — [描述] — [利用路径]

High (Fix Before Deploy)

高风险(部署前修复)

  • file:line
    — [Vulnerability type] — [Description]
  • 文件:行号
    — [漏洞类型] — [描述]

Medium (Fix in Sprint)

中风险(迭代中修复)

  • file:line
    — [Vulnerability type] — [Description]
  • 文件:行号
    — [漏洞类型] — [描述]

Low (Track and Fix)

低风险(跟踪并修复)

  • file:line
    — [Vulnerability type] — [Description]
  • 文件:行号
    — [漏洞类型] — [描述]

Dependency Vulnerabilities

依赖项漏洞

PackageVersionCVESeverityFix Version
包名版本CVE编号风险等级修复版本

Cross-Module Findings

跨模块发现

  • [Data flow from X through Y to Z creates injection risk]
  • [Auth middleware skipped on route A when accessed via B]
  • [数据从X流经Y到Z存在注入风险]
  • [通过路径B访问路由A时会跳过权限中间件]

Positive Observations

正面观察

  • [Good security patterns found]
  • [Well-implemented auth flows]
undefined
  • [发现良好的安全模式]
  • [权限流程实现完善]
undefined

When to Use

使用场景

  • Before any production deployment
  • After adding new API routes or auth logic
  • When integrating new external services
  • During quarterly security reviews
  • After dependency updates
  • 任何生产环境部署之前
  • 添加新API路由或权限逻辑之后
  • 集成新外部服务时
  • 季度安全审查期间
  • 依赖项更新之后

Related

相关工具

  • /check-quality
    — Includes lightweight security scan
  • /review-branch
    — security-sentinel is mandatory reviewer
  • /billing-security
    — Payment-specific security patterns
  • /check-quality
    — 包含轻量级安全扫描
  • /review-branch
    — security-sentinel为强制审查者
  • /billing-security
    — 支付场景专用安全模式