performing-security-testing
SKILL.md
Security Test Scanner
Overview
Automate security vulnerability detection covering OWASP Top 10 categories including SQL injection, XSS, CSRF, broken authentication, and sensitive data exposure. Combines static analysis (source code scanning with Semgrep, Bandit, ESLint security plugins) with dynamic testing patterns (input fuzzing, header validation, authentication bypass checks).
Prerequisites
- Static analysis tools installed (Semgrep, ESLint with
eslint-plugin-security, Bandit for Python, or SpotBugs for Java) - Application running in a test environment (never scan production without explicit authorization)
- Written authorization to perform security testing on the target system
npm audit,pip-audit, ortrivyfor dependency vulnerability scanning- OWASP ZAP or Burp Suite for dynamic application security testing (optional)
Instructions
- Run dependency vulnerability scanning to identify known CVEs:
- Execute
npm audit --jsonorpip-audit --format jsonortrivy fs .. - Parse results and flag critical/high severity vulnerabilities.
- Check if vulnerable dependencies have available patches.
- Execute
- Perform static application security testing (SAST) on source code:
- Run Semgrep with OWASP rulesets:
semgrep --config=p/owasp-top-ten. - Execute language-specific scanners (Bandit for Python, ESLint security for JS).
- Scan for hardcoded secrets using
gitleaksortrufflehog.
- Run Semgrep with OWASP rulesets:
- Analyze code for injection vulnerabilities:
- Search for string concatenation in SQL queries (use Grep for patterns like
"SELECT.*" +). - Identify unsanitized user input flowing into
innerHTML,eval(), orexec(). - Check for command injection via
child_process.exec()oros.system()with user input.
- Search for string concatenation in SQL queries (use Grep for patterns like
- Validate authentication and authorization:
- Verify password hashing uses bcrypt, scrypt, or Argon2 (not MD5/SHA1).
- Check JWT token validation includes expiration, issuer, and audience claims.
- Ensure authorization checks exist on every protected endpoint.
- Test for common web vulnerabilities:
- CSRF: Verify anti-CSRF tokens on state-changing endpoints.
- CORS: Check
Access-Control-Allow-Originis not set to*on authenticated endpoints. - Security headers: Validate presence of
Content-Security-Policy,X-Frame-Options,Strict-Transport-Security.
- Generate a prioritized findings report with:
- CVSS score for each vulnerability.
- Affected file, line number, and code snippet.
- Specific remediation steps with code examples.
- Create regression tests for each finding to prevent reintroduction.
Output
- Security scan report in Markdown with findings sorted by severity
- Dependency vulnerability list with CVE IDs and available patches
- SAST findings with file paths, line numbers, and code context
- Remediation checklist with specific code fixes for each finding
- Security regression test file to prevent reintroduction of fixed vulnerabilities
Error Handling
| Error | Cause | Solution |
|---|---|---|
| False positive on SQL injection | ORM parameterized queries flagged as concatenation | Add Semgrep nosemgrep comments on verified safe patterns; tune rules to recognize the ORM |
| Secret scanner flags test fixtures | Test files contain example API keys or tokens | Add test directories to .gitleaksignore; use obviously fake values like test-key-000 |
| Dependency audit returns hundreds of results | Transitive dependencies with low-severity issues | Filter to direct dependencies first; focus on critical/high only; use npm audit --omit=dev |
| Scanner cannot reach application | Application not running or port mismatch | Start the application before dynamic scans; verify the base URL and port configuration |
| Rate limiting blocks scan | Too many requests from the scanner | Configure scan throttling; use authenticated sessions with higher rate limits |
Examples
Semgrep scan for OWASP Top 10:
semgrep --config=p/owasp-top-ten --json --output=security-results.json .
Checking for hardcoded secrets:
gitleaks detect --source=. --report-format=json --report-path=secrets-report.json
Security regression test (Jest):
describe('Security: XSS Prevention', () => {
it('escapes HTML entities in user-generated content', () => {
const input = '<script>alert("xss")</script>';
const rendered = renderUserComment(input);
expect(rendered).not.toContain('<script>');
expect(rendered).toContain('<script>');
});
it('rejects SQL injection in search parameter', async () => {
const response = await request(app)
.get('/api/search?q=\'; DROP TABLE users; --')
.expect(200); # HTTP 200 OK
expect(response.body.results).toBeDefined();
// Verify users table still exists
const users = await db.query('SELECT count(*) FROM users');
expect(users.rows[0].count).toBeGreaterThan(0);
});
});
Resources
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- Semgrep rules registry: https://semgrep.dev/explore
- Bandit (Python SAST): https://bandit.readthedocs.io/
- Gitleaks secret detection: https://github.com/gitleaks/gitleaks
- npm audit documentation: https://docs.npmjs.com/cli/commands/npm-audit
- OWASP ASVS (Application Security Verification Standard): https://owasp.org/www-project-application-security-verification-standard/
Weekly Installs
19
Repository
jeremylongshore…s-skillsGitHub Stars
1.6K
First Seen
Feb 1, 2026
Security Audits
Installed on
opencode17
antigravity17
claude-code17
codex17
mcpjam16
gemini-cli16