Security Scanner

Overview

This skill performs a security audit on the current project using Trivy (if available) or a lightweight internal scanner. It detects vulnerabilities, secrets, and dangerous patterns.

Capabilities

1. Advanced Scan (via Trivy)

If trivy is installed, this skill leverages it for enterprise-grade auditing:

• Vulnerabilities (SCA): Checks package.json, go.mod, requirements.txt, etc., for known CVEs.
• Misconfigurations (IaC): Scans Dockerfiles, Terraform, and Kubernetes manifests for security best practices.
• Secret Scanning: Deep inspection for leaked API keys and tokens.
• License Compliance: Checks for license risks in dependencies.

2. Lightweight Scan (Fallback)

If trivy is missing, it falls back to a fast, pattern-based internal scanner:

• Secret Detection: AWS keys, GitHub tokens, generic secrets.
• Dangerous Code: eval(), dangerouslySetInnerHTML, command injection risks.
• PII Leakage Audit: Identifies potential logging of sensitive data (emails, PII) based on Modern SRE Best Practices.

Usage

Run the scanner from the root of your project.

node dist/index.js

Configuration

• Trivy: Uses default settings.
• Internal Scanner:
  • Proprietary Patterns: Automatically checks knowledge/confidential/skills/security-scanner/ for internal regex rules. These rules are prioritized over general ones to detect company-specific security risks.
  • General Patterns: Uses knowledge/security/scan-patterns.yaml.

Knowledge Protocol

• This skill adheres to the knowledge/orchestration/knowledge-protocol.md. It automatically integrates Public, Confidential (Company/Client), and Personal knowledge tiers, prioritizing the most specific secrets while ensuring no leaks to public outputs. \n## Governance Alignment\n\n- This skill aligns with IPA non-functional standards and FISC security guidelines to ensure enterprise-grade compliance.