Security Lint & Threat Detector

When to use this skill

• User asks to scan code for security issues
• User mentions OWASP vulnerabilities
• User wants to find leaked credentials or secrets
• User asks about XSS, SQL injection, or CSRF risks
• User wants to audit code before deployment

Workflow

• Identify files to scan (changed or full codebase)
• Run automated security scanners
• Perform pattern-based detection
• Categorize findings by severity
• Provide remediation suggestions
• Generate security report

Instructions

Step 1: Identify Scan Scope

For changed files:

git diff --cached --name-only --diff-filter=ACMR | grep -E '\.(js|jsx|ts|tsx|py|rb|php|java|go)$'

For full codebase:

find src -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" \)

Step 2: Run Security Scanners

JavaScript/TypeScript — npm audit:

npm audit --json

JavaScript/TypeScript — Snyk (if available):

npx snyk test --json

ESLint security plugin:

npx eslint --plugin security --rule 'security/*: error' <files>

Semgrep (multi-language):

npx @semgrep/semgrep --config=auto --json .

Gitleaks (secrets detection):

gitleaks detect --source . --report-format json

Step 3: Pattern-Based Detection

Scan for these high-risk patterns:

Credential Leakage

Pattern	Risk	Regex
API keys	Critical	['"]?(api[_-]?key|apikey)['"]?\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]
AWS keys	Critical	AKIA[0-9A-Z]{16}
Private keys	Critical	-----BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY-----
Passwords	High	['"]?(password|passwd|pwd)['"]?\s*[:=]\s*['"][^'"]{4,}['"]
Tokens	High	['"]?(token|secret|auth)['"]?\s*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]
Connection strings	High	(mongodb|postgres|mysql):\/\/[^:]+:[^@]+@

grep -rn --include="*.{ts,js,tsx,jsx,json,env}" -E "AKIA[0-9A-Z]{16}" .
grep -rn --include="*.{ts,js,tsx,jsx}" -E "(api[_-]?key|apikey)\s*[:=]\s*['\"][^'\"]{16,}['\"]" .

Unsafe Code Patterns

Pattern	Risk	Detection
eval()	Critical	Direct code execution
dangerouslySetInnerHTML	High	XSS vulnerability in React
v-html	High	XSS vulnerability in Vue
innerHTML assignment	High	DOM-based XSS
document.write	High	DOM manipulation risk
new Function()	High	Dynamic code execution
child_process.exec	High	Command injection risk
sql + string concat	Critical	SQL injection
http:// URLs	Medium	Insecure transport

grep -rn --include="*.{ts,js,tsx,jsx}" -E "\beval\s*\(" .
grep -rn --include="*.tsx" "dangerouslySetInnerHTML" .
grep -rn --include="*.vue" "v-html" .
grep -rn --include="*.{ts,js}" -E "\.exec\s*\(.*\$\{" .

OWASP Top 10 Checks

OWASP	Vulnerability	What to look for
A01	Broken Access Control	Missing auth checks, direct object refs
A02	Cryptographic Failures	Weak algorithms (MD5, SHA1), hardcoded keys
A03	Injection	SQL/NoSQL/Command injection patterns
A04	Insecure Design	Missing rate limiting, no input validation
A05	Security Misconfiguration	CORS *, debug modes, default creds
A06	Vulnerable Components	Outdated dependencies
A07	Auth Failures	Weak password rules, session issues
A08	Data Integrity	Unsafe deserialization, unverified updates
A09	Logging Failures	Sensitive data in logs, missing audit
A10	SSRF	Unvalidated URL fetches

Step 4: Categorize Findings

Severity levels:

Level	Examples	Action
Critical	Exposed secrets, RCE, SQL injection	Block deployment
High	XSS, CSRF, auth bypass	Fix before merge
Medium	Insecure cookies, weak crypto	Fix in sprint
Low	Info disclosure, best practices	Track for later

Step 5: Generate Report

Format findings clearly:

## Security Scan Report

### Critical (2)

#### 1. Hardcoded API Key

- **File**: src/api/client.ts:42
- **Pattern**: `apiKey = "sk_live_..."`
- **Risk**: Credential exposure in source control
- **Fix**: Move to environment variable

```typescript
// Before
const apiKey = "sk_live_abc123...";

// After
const apiKey = process.env.API_KEY;
```

2. SQL Injection Risk

• File: src/db/users.ts:23
• Pattern: String concatenation in query
• Risk: SQL injection allows data theft
• Fix: Use parameterized queries

// Before
db.query(`SELECT * FROM users WHERE id = ${userId}`);

// After
db.query("SELECT * FROM users WHERE id = $1", [userId]);

High (1)

1. XSS via dangerouslySetInnerHTML

• File: src/components/Article.tsx:15
• Risk: User content rendered as HTML
• Fix: Sanitize with DOMPurify

import DOMPurify from "dompurify";
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }} />;

Summary

Severity	Count
Critical	2
High	1
Medium	3
Low	5

## Common Remediation Patterns

**Environment variables for secrets:**
```typescript
// Use dotenv or platform env
const secret = process.env.SECRET_KEY;
if (!secret) throw new Error('SECRET_KEY required');

Parameterized queries:

// Prisma (safe by default)
await prisma.user.findUnique({ where: { id: userId } });

// Raw SQL with parameters
await db.query("SELECT * FROM users WHERE id = $1", [userId]);

XSS prevention:

// React - avoid dangerouslySetInnerHTML
// If needed, sanitize first
import DOMPurify from "dompurify";
const clean = DOMPurify.sanitize(userContent);

CSRF protection:

// Use CSRF tokens in forms
<input type="hidden" name="_csrf" value={csrfToken} />

// Validate on server
if (req.body._csrf !== req.session.csrfToken) {
  throw new Error('CSRF validation failed');
}

Secure headers:

// Next.js next.config.js
const securityHeaders = [
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "X-Frame-Options", value: "DENY" },
  { key: "X-XSS-Protection", value: "1; mode=block" },
  {
    key: "Strict-Transport-Security",
    value: "max-age=31536000; includeSubDomains",
  },
];

Validation

Before completing:

• All critical issues addressed
• High severity issues have remediation plan
• No secrets in committed code
• Dependencies updated for known CVEs
• Security headers configured

Error Handling

• Scanner not installed: Run npm install -g <tool> or use npx.
• Too many results: Filter by severity or scope to changed files.
• False positives: Review context before reporting; exclude test fixtures.
• Unsure about severity: Default to higher severity; security errs on caution.

Resources

• OWASP Top 10
• OWASP Cheat Sheet Series
• Semgrep Rules
• Snyk Vulnerability DB