security-scanner
Security Scanner
Advanced security vulnerability detection and remediation for codebases
Quick Commands
# Quick security scan
npx @j0kz/security-scanner scan
# Check for secrets
npx secretlint "**/*"
# OWASP dependency check
npm audit fix
# Static analysis
npx eslint-plugin-security
Core Functionality
Key Features
- OWASP Top 10 Detection: SQL injection, XSS, CSRF, etc.
- Secret Scanning: API keys, passwords, tokens
- Dependency Vulnerabilities: Known CVEs in dependencies
- Code Patterns: Insecure coding practices
- Compliance Checking: GDPR, PCI-DSS, HIPAA patterns
Detailed Information
For comprehensive details, see:
cat .claude/skills/security-scanner/references/owasp-patterns.md
cat .claude/skills/security-scanner/references/secret-detection.md
cat .claude/skills/security-scanner/references/remediation-guide.md
Usage Examples
Example 1: Full Security Audit
import { SecurityScanner } from '@j0kz/security-scanner';
const scanner = new SecurityScanner({
severity: 'high',
includeDevDependencies: false
});
const results = await scanner.scan('./src');
console.log(`Found ${results.vulnerabilities.length} vulnerabilities`);
Example 2: Pre-commit Hook
#!/bin/sh
# .husky/pre-commit
npx @j0kz/security-scanner scan --staged --fail-on-high
Security Patterns Detected
- SQL Injection risks
- Cross-Site Scripting (XSS)
- Command Injection
- Path Traversal
- Sensitive Data Exposure
- XML External Entity (XXE)
- Broken Authentication
- Security Misconfiguration
- Using Components with Known Vulnerabilities
- Insufficient Logging
Configuration
{
"security-scanner": {
"rules": {
"no-eval": "error",
"no-implied-eval": "error",
"no-hardcoded-secrets": "error",
"sql-injection": "error"
},
"exclude": ["test/**", "*.test.js"],
"secretPatterns": [
"api[_-]?key",
"secret",
"password",
"token"
]
}
}
Notes
- Integrates with GitHub Security Advisories
- Supports custom rule definitions
- Can generate security reports in SARIF format
- Zero false positives mode available
More from j0kz/mcp-agents
security-first
Universal security checklist based on OWASP Top 10 for ANY project type or language. Use before deploying to production, handling sensitive data, or processing user input.
11api-integration
Master third-party API integration in ANY language with best practices and patterns. Use when connecting to external services, handling OAuth, or implementing webhooks.
7dependency-doctor
Diagnose and heal dependency issues in ANY package manager, ANY language. Use when facing version conflicts, security vulnerabilities, or dependency bloat.
5zero-to-hero
Go from zero knowledge to codebase expert in ANY project, ANY size, ANY language. Use when onboarding to a new codebase or trying to understand unfamiliar code.
3competitive-ads-extractor
Extracts and analyzes competitor ads from ad libraries (Facebook, LinkedIn, TikTok, Google). Use when researching competitor messaging, creative patterns, campaign strategies, or ad inspiration. Ch...
3quick-pr-review
Universal pre-PR checklist that works in ANY project, with or without MCP tools. Use before creating a pull request to ensure quality standards and reduce review iterations.
3