Skills
skills/florianbuetow/claude-code/pasta-vulns

pasta-vulns

SKILL.md

PASTA Stage 5: Vulnerability Analysis

Identify specific weaknesses in code and configuration that could be exploited by Stage 4 threats. This is the core code analysis stage of PASTA. Map each finding to CWE identifiers and correlate with the threat catalog.

Supported Flags

Read ../../shared/schemas/flags.md for the full flag specification. Key behaviors:

Flag Stage 5 Behavior
--scope Default changed. Analyzes source code, configs, and infrastructure files.
--depth quick Scanners + grep patterns only, no manual code review.
--depth standard Full code read, local data-flow analysis, CWE mapping.
--depth deep Standard + cross-file taint analysis, entry-to-sink tracing, dependency CVE scan.
--depth expert Deep + exploitability scoring, proof-of-concept path assessment.
--severity Filter output by severity.
--fix Generate fix suggestions for each vulnerability found.

Framework Context

Read ../../shared/frameworks/pasta.md, Stage 5 section. PASTA is SEQUENTIAL. Stage 5 consumes Stages 1-4 output and feeds Stage 6.

Prerequisites

Required: Stage 4 output -- threat catalog with MITRE ATT&CK mappings and threat-to-component mapping. Also needs: entry points (Stage 2), components and trust boundaries (Stage 3), business-critical assets (Stage 1). If unavailable, warn and assume.

Workflow

Step 1: Determine Scope

Parse --scope flag (default: changed). Filter to code and config file types. Prioritize files in components targeted by Stage 4 threats.

Step 2: Check for Scanners

Scanner Detect Coverage
semgrep which semgrep Injection, auth, crypto, SSRF, XSS
bandit which bandit Python: injection, crypto, subprocess
gosec which gosec Go: injection, crypto, file handling
brakeman which brakeman Rails: injection, XSS, mass assignment
npm audit which npm Node.js dependency vulnerabilities
trivy which trivy Container and dependency vulnerabilities
gitleaks which gitleaks Secrets and credentials in code

Step 3: Run Scanners

Run available scanners, normalize output to ../../shared/schemas/findings.md.

Step 4: Manual Code Analysis

  1. Trace data flows: User input from entry points through components to sinks.
  2. Check sanitization: Validation, encoding, parameterization between source and sink.
  3. Review auth/authz: Authentication enforcement and authorization consistency.
  4. Check crypto: Secure algorithms, key management, TLS enforcement.
  5. Review configs: Default credentials, debug modes, security headers.
  6. Check secrets: Hardcoded credentials, API keys, tokens in source.

Step 5: Correlate with Threats

Map each vulnerability to Stage 4 threat(s) it enables: which actor exploits it, which ATT&CK technique it supports, which business asset it endangers.

Step 6: Assess Exploitability

Evaluate: attack complexity, prerequisite access, mitigating controls, and chaining potential with other vulnerabilities.

Analysis Checklist

  1. Are parameterized queries used everywhere, or are there dynamic query paths?
  2. Are there deserialization points accepting untrusted input?
  3. Do all endpoints enforce authentication and authorization?
  4. Are secrets hardcoded or in configuration files within the repository?
  5. Are input validation and output encoding applied consistently?
  6. Are cryptographic algorithms and key lengths secure and current?
  7. Are dependencies up to date with no known CVEs?
  8. Are security headers configured (CSP, HSTS, X-Frame-Options)?

Output Format

Stage 5 produces a Vulnerability Inventory with CWE Mappings. ID prefix: PASTA (e.g., PASTA-001).

Each finding includes: id, title, severity, location (file, line, function, snippet), description, impact, fix, and references (CWE, MITRE ATT&CK, OWASP).

## PASTA Stage 5: Vulnerability Analysis

### Vulnerability Inventory
| ID | Vulnerability | CWE | Severity | Component | Enables Threat |
|----|--------------|-----|----------|-----------|---------------|
| PASTA-001 | SQL injection in search | CWE-89 | Critical | C-02 API | T-01 |
| PASTA-002 | Missing auth on export | CWE-862 | High | C-04 Admin | T-03 |

### Vulnerability-Threat Correlation
| Vulnerability | Threats Enabled | Complexity | Existing Controls |
|--------------|----------------|------------|-------------------|
| PASTA-001 | T-01, T-05 | Low | None |

### Scanner Coverage
| Scanner | Status | Findings |
|---------|--------|----------|
| semgrep | Available / Not found | N findings |

Findings follow ../../shared/schemas/findings.md with:

  • references.cwe: CWE identifier, references.mitre_attck: linked technique, references.owasp: OWASP category
  • metadata.tool: "pasta-vulns", metadata.framework: "pasta", metadata.category: "Stage-5"

Next Stage

Stage 6: Attack Simulation (pasta-attack-sim). Pass the Vulnerability Inventory and threat correlations. Stage 6 constructs exploit chains and scores each attack scenario by exploitability and impact.

Weekly Installs
7
Repository
florianbuetow/c…ude-code
GitHub Stars
6
First Seen
Feb 28, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail
Installed on
mcpjam7
claude-code7
replit7
junie7
windsurf7
zencoder7