Skills
skills/yonatangross/skillforge-claude-plugin/security-scanning

security-scanning

SKILL.md

Security Scanning

Automate vulnerability detection in code and dependencies.

Dependency Scanning

JavaScript (npm)

# Run audit
npm audit --json > security-audit.json

# Check severity counts
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
HIGH=$(npm audit --json | jq '.metadata.vulnerabilities.high')

if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
  echo "🚨 $CRITICAL critical, $HIGH high vulnerabilities"
fi

# Auto-fix
npm audit fix

Python (pip-audit)

pip-audit --format=json > security-audit.json

# Using safety
safety check --json > security-audit.json

Static Analysis (SAST)

Semgrep

# Run with security rules
semgrep --config=auto --json > semgrep-results.json

# Count findings
CRITICAL=$(cat semgrep-results.json | jq '[.results[] | select(.extra.severity == "ERROR")] | length')

Bandit (Python)

bandit -r . -f json -o bandit-report.json

HIGH=$(cat bandit-report.json | jq '[.results[] | select(.issue_severity == "HIGH")] | length')

Secret Detection

# TruffleHog
trufflehog git file://. --json > secrets-scan.json

# Gitleaks
gitleaks detect --source . --report-format json

# Check results
SECRET_COUNT=$(cat secrets-scan.json | jq '. | length')
if [ "$SECRET_COUNT" -gt 0 ]; then
  echo "🚨 $SECRET_COUNT secrets detected!"
fi

Container Scanning

# Trivy
trivy image myapp:latest --format json > trivy-scan.json

CRITICAL=$(cat trivy-scan.json | jq '[.Results[].Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length')

Pre-commit Hooks (2026 Best Practice)

Shift-left security by catching issues before commit:

# .pre-commit-config.yaml
repos:
  # Secret detection - MUST HAVE
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

  # Python security
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.7
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml", "-r", "."]
        exclude: ^tests/

  # Semgrep for SAST
  - repo: https://github.com/semgrep/semgrep
    rev: v1.52.0
    hooks:
      - id: semgrep
        args: ["--config", "auto", "--error"]

  # Detect AWS credentials, private keys
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ["--baseline", ".secrets.baseline"]

# Install and setup
pip install pre-commit
pre-commit install

# Run on all files (first time)
pre-commit run --all-files

# Update hooks to latest versions
pre-commit autoupdate

Baseline for detect-secrets (ignore false positives):

# Generate baseline
detect-secrets scan > .secrets.baseline

# Audit false positives
detect-secrets audit .secrets.baseline

CI Integration

# GitHub Actions
- name: Security scan
  run: |
    npm audit --json > audit.json
    CRITICAL=$(jq '.metadata.vulnerabilities.critical' audit.json)
    if [ "$CRITICAL" -gt 0 ]; then
      echo "::error::Critical vulnerabilities found"
      exit 1
    fi

Escalation Thresholds

Severity Threshold Action
Critical Any BLOCK
High > 5 BLOCK
Moderate > 20 WARNING
Low > 50 WARNING

Evidence Recording

context.quality_evidence.security_scan = {
  executed: true,
  tool: 'npm audit',
  critical: 2,
  high: 5,
  moderate: 10,
  timestamp: new Date().toISOString()
};

Key Decisions

Decision Recommendation
JS dependencies npm audit
Python dependencies pip-audit
Code analysis Semgrep
Secrets TruffleHog or Gitleaks
Pre-commit gitleaks + detect-secrets
Shift-left Always use pre-commit hooks

Common Mistakes

  • Ignoring audit warnings
  • No CI integration
  • Not blocking on critical
  • Missing secret scanning

Related Skills

  • owasp-top-10 - Vulnerability context
  • devops-deployment - CI/CD integration
  • code-review-playbook - Review process

Capability Details

dependency-scanning

Keywords: npm audit, pip-audit, dependency, vulnerability Solves:

  • Scan npm dependencies
  • Audit Python packages
  • Find vulnerable dependencies

secret-detection

Keywords: secret, credential, api key, trufflehog, gitleaks Solves:

  • Detect secrets in code
  • Scan for API keys
  • Find exposed credentials

api-security-audit

Keywords: api, audit, security, example Solves:

  • API security audit example
  • Security review checklist
  • Real audit walkthrough

audit-template

Keywords: template, audit, report, security Solves:

  • Security audit template
  • Audit report structure
  • Copy-paste audit format
Weekly Installs
4
Repository
yonatangross/sk…e-plugin
GitHub Stars
90
First Seen
Jan 21, 2026
Installed on
claude-code3
opencode2
antigravity2
gemini-cli2
windsurf1
trae1