npx claudepluginhub bordenet/superpowers-plus --plugin superpowers-plusThis skill uses the workspace's default tool permissions.
> **Purpose:** Systematic security scan of any git repository across four categories.
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
Purpose: Systematic security scan of any git repository across four categories. Last Updated: 2026-03-18
Wrong skill? Public repo IP leakage →
public-repo-ip-audit. Wiki secrets →wiki-secret-audit. Dependency upgrades →security-upgrade.
Run a comprehensive security scan on a git repo without creating ad-hoc scripts. This skill orchestrates four scan categories using tools already available on the system.
Key principle: Use existing tools and skills — never create custom scanning scripts in /tmp/ or anywhere else.
Identify the repo's stack by checking for manifest files:
| File | Stack | Audit Tool |
|---|---|---|
package.json | Node.js | npm audit |
requirements.txt / pyproject.toml | Python | pip-audit |
go.mod | Go | govulncheck |
Cargo.toml | Rust | cargo audit |
pubspec.yaml | Flutter/Dart | flutter pub outdated |
# Auto-detect — run from repo root
for f in package.json requirements.txt pyproject.toml go.mod Cargo.toml pubspec.yaml; do
[ -f "$f" ] && echo "DETECTED: $f"
done
Use patterns from _shared/secret-detection.md. Scan tracked files only (not untracked):
# High-confidence token patterns in tracked files
git ls-files -z | xargs -0 grep -lnE \
'(sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|AKIA[A-Z0-9]{16}|xox[bpsar]-[a-zA-Z0-9-]+|glpat-[a-zA-Z0-9-]+)' \
2>/dev/null | grep -v 'node_modules\|\.git\|venv'
# Hardcoded secret assignments (filter out test files and examples)
git ls-files -z | xargs -0 grep -lnE \
'(api[_-]?key|secret[_-]?key|password|private[_-]?key)\s*[:=]\s*["'"'"'][^"'"'"']{8,}' \
2>/dev/null | grep -v 'node_modules\|\.git\|venv\|test\|spec\|\.example\|\.sample\|\.md$'
# Committed .env files
git ls-files | grep -iE '\.env$|\.env\.[^e]'
# Private key files
git ls-files | grep -iE '\.(pem|key|p12|pfx|jks)$'
False positive filtering: Matches in test files, .example files, and documentation are expected. Review each match to determine if it's a real secret or a placeholder.
REQUIRED SUB-SKILL: Use superpowers:security-upgrade for this phase. It covers discovery, scanning, upgrading, validation, and commit workflow for all supported package managers.
Quick scan commands (from security-upgrade):
# npm (built-in, no install needed)
npm audit --json 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('metadata',{}).get('vulnerabilities',{}))" 2>/dev/null
# Python (install: pip install pip-audit)
pip-audit -r requirements.txt 2>&1
# Go (install: go install golang.org/x/vuln/cmd/govulncheck@latest)
govulncheck ./... 2>&1
# Rust (install: cargo install cargo-audit)
cargo audit 2>&1
If scanning only (not upgrading): Run the quick scan commands above. If CVEs are found and you need to upgrade, switch to the full security-upgrade skill workflow.
Scan tracked source files for dangerous patterns:
# Dangerous function calls (Python, JS, Shell)
git ls-files -z '*.py' '*.js' '*.ts' '*.sh' 2>/dev/null | xargs -0 grep -nE \
'(eval\(|exec\(|pickle\.loads|subprocess\.call.*shell=True|os\.system\(|yaml\.load\([^,]*\)$|innerHTML\s*=|document\.write\(|child_process\.exec\()' \
2>/dev/null | grep -v 'node_modules\|venv\|__pycache__'
# SQL injection risks (string interpolation in queries)
git ls-files -z '*.py' '*.js' '*.ts' 2>/dev/null | xargs -0 grep -nE \
'(f".*SELECT|f".*INSERT|f".*UPDATE|f".*DELETE|\.format\(.*SELECT|query\(.*\+)' \
2>/dev/null | grep -v 'node_modules\|venv\|test'
Triage: Not every match is exploitable. innerHTML in a static site with no user input is low-risk. eval() in a test helper may be acceptable. Document the finding and assess context.
# Missing .gitignore entries (check for common sensitive patterns)
if [ -f .gitignore ]; then
for pattern in ".env" "*.pem" "*.key" ".DS_Store"; do
grep -qF "$pattern" .gitignore || echo "MISSING: $pattern not in .gitignore"
done
else
echo "WARNING: No .gitignore file exists"
fi
# Stack-specific .gitignore checks
[ -f package.json ] && ! grep -q "node_modules" .gitignore 2>/dev/null && echo "MISSING: node_modules"
[ -f requirements.txt ] && ! grep -q "__pycache__" .gitignore 2>/dev/null && echo "MISSING: __pycache__"
[ -f requirements.txt ] && ! grep -q "venv" .gitignore 2>/dev/null && echo "MISSING: venv"
# Debug mode in production configs
git ls-files -z 2>/dev/null | xargs -0 grep -lnE \
'(DEBUG\s*=\s*True|debug:\s*true|"debug":\s*true)' \
2>/dev/null | grep -v 'test\|spec\|\.md$'
For each finding:
.gitignoresuperpowers:security-upgrade workflow (scan → upgrade → validate → commit)Commit each fix individually with descriptive messages:
fix(security): remove hardcoded API key from config.ts
fix(security): add .env to .gitignore
fix(security): upgrade flask 3.1.2→3.1.3 (CVE-2026-27205)
fix(security): replace eval() with JSON.parse() in parser.js
After all fixes, re-run the full scan to confirm zero remaining issues. Use superpowers:verification-before-completion — evidence before assertions.
security-upgrade (Phase 2 sub-skill) | public-repo-ip-audit (IP leakage) | wiki-secret-audit (wiki content) | verification-before-completion (post-fix)
| Failure | Fix |
|---|---|
| Scanner tool not installed (gitleaks, npm audit) | Check prerequisites first — install or fallback to manual grep |
| False positive on test fixtures with dummy secrets | Maintain allowlist of known test fixtures per repo |
| Scan misses secrets in git history | Run gitleaks with --log-opts --all to scan full history |
| Dependency vuln has no fix available | Document as accepted risk with justification and review date |