Skill

Harness Security Scan

Runs lightweight mechanical security scans on project files or git changes. Filters findings by severity threshold, checks trends, and gates on errors for fast triage.

Git

security

npx claudepluginhub intense-visions/harness-engineering --plugin harness-claude

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> Lightweight mechanical security scan. Fast triage, not deep review.

Supporting Assets

skill.yaml

SKILL.md

Similar Skills

Harness Security Review

Performs deep security audits combining mechanical scanning via harness CLI, AI-powered vulnerability analysis, OWASP baselines, stack-adaptive rules, and optional threat modeling. Use before releases, after dep updates, or for unfamiliar codebases.

1 file

harness-claude

Overview

Scans codebases for leaked secrets (API keys, tokens, passwords, private keys), insecure code patterns, and configuration issues. Returns severity-rated findings with file locations and remediation steps.

syncable-cli-skills

security-scan

Scans codebases for OWASP Top 10 vulnerabilities, secrets, injection flaws, cryptographic issues, and misconfigurations. Use /security-scan for full, quick, or focused security audits.

8 files

jwynia-agent-skills-1

Stats

Stars12

Forks6

Last CommitApr 27, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Harness Security Scan

Lightweight mechanical security scan. Fast triage, not deep review.

When to Use

As part of the codebase-health-analyst sweep
For quick security triage on a project or changed files
On scheduled cron runs for continuous security coverage
NOT for deep security review (use harness-security-review)
NOT for threat modeling (use harness-security-review --deep)

Process

Phase 1: SCAN — Run Mechanical Scanner

Resolve project root. Use provided path or cwd.
Load security config. Read harness.config.json and extract security section. Fall back to defaults if absent.
Determine file scope.
- If --changed-only or triggered by PR: run git diff --name-only HEAD~1 to get changed files. Filter to source files only (exclude node_modules, dist, test files per config).
- Otherwise: scan all source files in the project.
Run SecurityScanner. Call SecurityScanner.scanFiles() from @harness-engineering/core.
Filter by severity threshold. Remove findings below the configured threshold:
- error: only errors
- warning: errors and warnings (default)
- info: all findings
Check security trends. Check get_security_trends to compare current scan results against the project's security posture history and identify trajectory changes.

Output report. Present findings grouped by severity:

Security Scan: [PASS/FAIL]
Scanned: N files, M rules applied
Errors: N | Warnings: N | Info: N

[List findings with rule ID, file:line, severity, message, remediation]

Gates

Error-severity findings are blocking. Report is FAIL if any error-severity finding exists after filtering.
No AI review. This skill is mechanical only. Do not perform OWASP analysis or threat modeling.

Harness Integration

harness check-security — CLI command that invokes this skill's scanner.
SecurityScanner — Core class from @harness-engineering/core that executes the rule engine.
harness.config.json — Security section configures severity threshold and file exclusions.
codebase-health-analyst persona — Invokes this skill as part of its sweep.

Evidence Requirements

When this skill makes claims about existing code, architecture, or behavior, it MUST cite evidence using one of:

File reference: file:line format (e.g., src/auth.ts:42)
Code pattern reference: file with description (e.g., src/utils/hash.ts — "existing bcrypt wrapper")
Test/command output: Inline or referenced output from a test run or CLI command
Session evidence: Write to the evidence session section via manage_state

Uncited claims: Technical assertions without citations MUST be prefixed with [UNVERIFIED]. Example: [UNVERIFIED] The auth middleware supports refresh tokens.

Red Flags

Universal

These apply to ALL skills. If you catch yourself doing any of these, STOP.

"I believe the codebase does X" — Stop. Read the code and cite a file:line reference. Belief is not evidence.
"Let me recommend [pattern] for this" without checking existing patterns — Stop. Search the codebase first. The project may already have a convention.
"While we're here, we should also [unrelated improvement]" — Stop. Flag the idea but do not expand scope beyond the stated task.

Domain-Specific

"This finding is in test code, so it's not a real issue" — Stop. Test code can leak secrets, establish bad patterns, and be copy-pasted to production.
"This dependency is widely used, so it's safe" — Stop. Popularity is not a security guarantee. Check CVE databases and advisory feeds.
"This is a low-severity finding, skipping" — Stop. Low-severity findings compound. Document why you are deprioritizing, do not silently skip.
"The scanner didn't flag it, so it's clean" — Stop. Scanners have false negatives. A clean scan is not proof of security — it is absence of evidence.

Rationalizations to Reject

Universal

These reasoning patterns sound plausible but lead to bad outcomes. Reject them.

"It's probably fine" — "Probably" is not evidence. Verify before asserting.
"This is best practice" — Best practice in what context? Cite the source and confirm it applies to this codebase.
"We can fix it later" — If it is worth flagging, it is worth documenting now with a concrete follow-up plan.

Domain-Specific

Rationalization	Reality
"No attacker would find this"	Security by obscurity. If the code is wrong, flag it regardless of discoverability.
"We're behind a firewall"	Network boundaries change. Code should be secure at every layer regardless of deployment topology.
"The framework handles this for us"	Verify the framework's actual behavior. Misuse of a secure framework is still insecure.

Escalation

When error-severity findings are disputed: The scanner is mechanical — it may flag false positives. If a finding is a false positive, add a // harness-ignore SEC-XXX comment on the line and document the rationale. Do not suppress without explanation.
When the scanner misses a known vulnerability: This skill runs pattern-based rules only. For semantic analysis (taint tracking, control flow), use /harness:security-review instead.
When scan is too slow on large codebases: Use --changed-only to scope to recently changed files. Full scans can run on a scheduled cron instead.

Success Criteria

Scanner ran and produced findings (or confirmed clean)
Findings are filtered by the configured severity threshold
Report follows the structured format
Exit code reflects pass/fail status

Examples

Example: Clean Scan

Security Scan: PASS
Scanned: 42 files, 12 rules applied
Errors: 0 | Warnings: 0 | Info: 0

Example: Findings Detected

Security Scan: FAIL
Scanned: 42 files, 12 rules applied
Errors: 1 | Warnings: 2 | Info: 0

[SEC-SECRET-001] src/config.ts:15 (error)
  Hardcoded API key detected: `const API_KEY = "sk-..."`
  Remediation: Move to environment variable, use dotenv or secrets manager.

[SEC-NET-001] src/cors.ts:5 (warning)
  CORS wildcard origin: `origin: "*"`
  Remediation: Restrict to specific allowed origins.

[SEC-CRYPTO-001] src/auth.ts:22 (warning)
  Weak hash algorithm: `crypto.createHash("md5")`
  Remediation: Use SHA-256 or stronger.