From bitwarden-security-engineer
This skill should be used when the user asks to "triage security findings", "fix a Checkmarx finding", "review SonarCloud results", "dismiss a false positive", "check code scanning alerts", or needs to work with GitHub Advanced Security alerts, scanner annotations on PRs, or Grype vulnerability results.
npx claudepluginhub bitwarden/ai-plugins --plugin bitwarden-security-engineerThis skill uses the workspace's default tool permissions.
Bitwarden uses three scanners, all triggered by the `scan.yml` GitHub Actions workflow in each repository:
Triages SARIF security findings from CodeQL, Scorecard, cargo-deny, cargo-audit, and Dependabot. Guides GitHub workflows, priority matrix, dismissal policies, and Rust fixes.
Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Scans local projects for dependency vulnerabilities (SCA), code security patterns (SAST), leaked secrets, auth/crypto flaws, misconfigs, supply chain risks, CI/CD issues. Generates prioritized report with remediation guidance.
Share bugs, ideas, or general feedback.
Bitwarden uses three scanners, all triggered by the scan.yml GitHub Actions workflow in each repository:
Checkmarx One — SAST (static analysis) and IaC (infrastructure as code) scanning. Dedicated cloud tenant named "bitwarden". Results upload to GitHub Advanced Security via SARIF format and post as PR annotations. Checkmarx understands branch differences, so PR results show only what changed. Access the Checkmarx webapp at the AST WebApp (tenant: "bitwarden") or via the Workspace Directory.
SonarCloud — Quality and security hotspot scanning. Free public cloud offering (not licensed for private repos). Uses quality profiles and gates for customized results. Posts PR annotations. Results also propagate to GitHub's security section. Configure via sonar-config input: default, dotnet, or maven.
Grype — Container image and filesystem vulnerability scanner. CVE-focused. Used for supply chain and dependency vulnerability detection.
Use these gh api commands to query and manage security findings:
# List all open code scanning alerts
gh api /repos/{owner}/{repo}/code-scanning/alerts --jq '.[] | {number, state, rule: .rule.id, severity: .rule.security_severity_level, path: .most_recent_instance.location.path}'
# Get details for a specific alert
gh api /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}
# Filter alerts by path (useful for file-specific triage)
gh api "/repos/{owner}/{repo}/code-scanning/alerts?ref={branch}&state=open" --jq '.[] | select(.most_recent_instance.location.path | startswith("src/Api"))'
# Filter by tool (separate Checkmarx from SonarCloud results)
gh api "/repos/{owner}/{repo}/code-scanning/alerts?tool_name=Checkmarx&state=open"
gh api "/repos/{owner}/{repo}/code-scanning/alerts?tool_name=SonarQube&state=open"
# Dismiss an alert as false positive
gh api -X PATCH /repos/{owner}/{repo}/code-scanning/alerts/{alert_number} \
-f state=dismissed \
-f dismissed_reason=false\ positive \
-f dismissed_comment="Rationale for dismissal"
# Dismiss as won't fix
gh api -X PATCH /repos/{owner}/{repo}/code-scanning/alerts/{alert_number} \
-f state=dismissed \
-f dismissed_reason=won\'t\ fix \
-f dismissed_comment="Rationale"
# List open Dependabot alerts
gh api /repos/{owner}/{repo}/dependabot/alerts --jq '.[] | {number, state, severity: .security_vulnerability.severity, package: .security_vulnerability.package.name, ecosystem: .security_vulnerability.package.ecosystem}'
# Get specific alert details
gh api /repos/{owner}/{repo}/dependabot/alerts/{alert_number}
# List secret scanning alerts
gh api /repos/{owner}/{repo}/secret-scanning/alerts --jq '.[] | {number, state, secret_type, created_at}'
These are the states available in Checkmarx for managing findings. Getting the state right matters — it affects whether the finding reappears in future scans.
| State | When to Use | Effect |
|---|---|---|
| Not Exploitable | CERTAIN there is no potential risk at ANY point in the product's lifecycle | Finding stops appearing in subsequent scans |
| Proposed Not Exploitable | Suspected false positive, needs team verification | Flags for review; requires manager approval for promotion |
| Confirmed | Vulnerability poses a real risk to be addressed during development | Tracked as known issue |
| Urgent | Acute risk requiring immediate attention | Escalated priority |
SonarCloud categorizes findings as issues (code quality and bugs) and security hotspots (code that needs manual security review).
Before dismissing any finding, follow this decision tree:
If any step is uncertain, mark as Proposed Not Exploitable rather than Not Exploitable.
Common remediation patterns by vulnerability type:
| Vulnerability | Wrong | Right |
|---|---|---|
| SQL Injection | String concatenation in queries | Parameterized queries / stored procedures |
| XSS | Raw interpolation in HTML | Output encoding / framework auto-escaping |
| Path Traversal | Direct use of user-supplied paths | Canonicalize + validate against allowed base path |
| SSRF | Direct use of user-supplied URLs | Allowlist of permitted hosts/schemes |
| Insecure Deserialization | Deserializing untrusted input with type info | Use safe serializers, avoid TypeNameHandling.All |
| Hardcoded Secrets | Credentials in source code | Environment variables / Azure Key Vault |
| XXE | Default XML parser settings | Disable DTD processing and external entities |
upload-sarif: false to the Checkmarx reusable workflow.quality job from scan.yml entirely for private repos.