Vulnerability Scanning
SKILL.md
Vulnerability Scanning
Purpose
Automate the detection of known vulnerabilities in dependencies and code using security scanning tools, triage findings, and prioritize remediation based on risk and exploitability.
When to Use
- Before deploying to production
- During CI/CD pipeline execution
- Regular security audits (weekly/monthly)
- After updating dependencies
- Investigating security alerts
Key Capabilities
- Dependency Scanning - Identify vulnerable packages and libraries
- SAST/DAST Execution - Run static and dynamic analysis tools
- Issue Triage - Categorize and prioritize security findings
Approach
-
Select Appropriate Tools
- Dependency scanners: npm audit, pip-audit, Snyk, OWASP Dependency-Check
- SAST (Static): Bandit (Python), ESLint security, Semgrep, SonarQube
- DAST (Dynamic): OWASP ZAP, Burp Suite
- Secret detection: GitGuardian, TruffleHog
-
Run Scans
- Execute during CI/CD pipeline
- Scan both application code and dependencies
- Include container image scanning if applicable
- Check for exposed secrets
-
Parse and Triage Results
- Critical: Remote code execution, authentication bypass
- High: SQL injection, XSS, sensitive data exposure
- Medium: Information disclosure, denial of service
- Low: Security misconfigurations, minor issues
-
Assess Exploitability
- Is vulnerable code actually used in the application?
- Is the attack vector applicable to your architecture?
- Are there compensating controls?
- What's the CVSS score?
-
Prioritize Remediation
- Fix critical vulnerabilities immediately
- Plan high-priority fixes in current sprint
- Schedule medium-priority fixes in backlog
- Accept or document low-priority findings
Example
Context: Scanning a Node.js application
Dependency Scan:
# Run npm audit
npm audit --json > audit-results.json
# Run Snyk scan
snyk test --json > snyk-results.json
Sample Results:
{
"vulnerabilities": {
"express": {
"severity": "high",
"via": ["qs"],
"cve": "CVE-2022-24999",
"description": "express accepts malformed URLs, leading to DoS",
"fixAvailable": {
"version": "4.18.2"
}
},
"jsonwebtoken": {
"severity": "critical",
"cve": "CVE-2022-23529",
"description": "JWT signature verification bypass",
"fixAvailable": {
"version": "9.0.0"
}
},
"lodash": {
"severity": "medium",
"cve": "CVE-2021-23337",
"description": "Prototype pollution",
"fixAvailable": {
"version": "4.17.21"
}
}
}
}
SAST Scan (Semgrep):
# Run Semgrep with security rules
semgrep --config=auto --json src/ > semgrep-results.json
Sample SAST Findings:
Finding 1: SQL Injection Risk
File: src/api/users.js:45
Code: db.query(`SELECT * FROM users WHERE id=${userId}`)
Severity: Critical
CWE: CWE-89
Finding 2: Hardcoded Secret
File: src/config/database.js:12
Code: const password = "P@ssw0rd123";
Severity: Critical
CWE: CWE-798
Finding 3: Missing Input Validation
File: src/api/uploads.js:28
Code: fs.writeFileSync(req.body.filename, data)
Severity: High
CWE: CWE-22 (Path Traversal)
Triage Analysis:
| Finding | Severity | Exploitable? | Priority | Action |
|---|---|---|---|---|
| JWT bypass (CVE-2022-23529) | Critical | Yes | P0 | Update to 9.0.0 immediately |
| Hardcoded password | Critical | Yes | P0 | Move to env var, rotate credentials |
| SQL injection in users.js | Critical | Yes | P0 | Use parameterized queries |
| Path traversal in uploads | High | Yes | P1 | Validate and sanitize filenames |
| Express DoS (CVE-2022-24999) | High | Partial | P2 | Update to 4.18.2, have rate limiting |
| Lodash prototype pollution | Medium | No | P3 | Not exploitable in our usage, update when convenient |
Remediation Report:
# Security Scan Report - 2025-01-10
## Critical Issues (Fix Immediately)
1. **JWT Signature Bypass (CVE-2022-23529)**
- Package: jsonwebtoken@8.5.1
- Fix: Upgrade to 9.0.0
- Command: `npm install jsonwebtoken@9.0.0`
- Status: ā³ In Progress
2. **Hardcoded Database Password**
- File: src/config/database.js:12
- Fix: Move to environment variable
- Action: Create .env.example, update code
- Status: ā³ In Progress
3. **SQL Injection - User Lookup**
- File: src/api/users.js:45
- Fix: Use parameterized queries
- Action: Replace string concatenation with prepared statement
- Status: ā³ In Progress
## High Priority (Fix This Sprint)
4. **Path Traversal - File Upload**
- File: src/api/uploads.js:28
- Fix: Validate filename, use path.basename()
- Status: š Planned
5. **Express DoS Vulnerability**
- Package: express@4.17.1
- Fix: Update to 4.18.2
- Status: š Planned
## Medium Priority (Backlog)
6. **Lodash Prototype Pollution**
- Package: lodash@4.17.20
- Fix: Update to 4.17.21
- Risk: Low (not exploitable in our usage)
- Status: š Documented
## Summary
- Total findings: 6
- Critical: 3 (all actionable)
- High: 2 (all actionable)
- Medium: 1 (accepted risk)
Expected Result:
- All vulnerabilities identified and categorized
- Exploitability assessed for each finding
- Clear remediation plan with priorities
- Tracking status for each issue
Best Practices
- ā Run scans in CI/CD pipeline on every commit
- ā Fail builds for critical vulnerabilities
- ā Scan both dependencies and application code
- ā Keep scanner tools updated
- ā Assess false positives (not all findings are exploitable)
- ā Document accepted risks with justification
- ā Track remediation progress
- ā Set up alerts for new CVEs in your dependencies
- ā Scan container images if using Docker
- ā Include license compliance checks
- ā Avoid: Ignoring low-severity findings (they can become critical)
- ā Avoid: Scanning only on release (scan continuously)
- ā Avoid: Updating dependencies blindly without testing
- ā Avoid: Dismissing findings without investigation