Skill

security-surface-scanner

OWASP vulnerability patterns, secret detection, and authentication/authorization analysis. Trigger: "security scan", "OWASP check", "secret detection", "auth analysis".

From sovereign-architect

Install

Run in your terminal

npx claudepluginhub javimontano/mao-sovereign-architect

Tool Access

This skill is limited to using the following tools:

ReadGlobGrepBashAgent

Supporting Assets

View in Repository

evals/evals.json

examples/sample-output.md

prompts/use-case-prompts.md

references/body-of-knowledge.md

Skill Content

Similar Skills

cqrs-implementation

Implements CQRS patterns with Python templates for command/query separation, event-sourcing, and scalable read/write models. Use for optimizing queries or independent scaling.

backend-development

33.0k

architecture-patterns

1 file

Implements Clean Architecture, Hexagonal Architecture (ports/adapters), and Domain-Driven Design for backend services. For microservice design, monolith refactoring to bounded contexts, and dependency debugging.

backend-development

33.0k

api-design-principles

4 files

Provides REST and GraphQL API design principles including resource hierarchies, HTTP methods, versioning strategies, pagination, and filtering patterns for new APIs, reviews, or standards.

backend-development

33.0k

Stats

Stars0

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Procedure

Step 1 — Secret Detection

Scan for hardcoded credentials: API keys, passwords, tokens, connection strings in source files.

Check .env files committed to version control.

Verify .gitignore excludes sensitive files (.env, *.pem, *.key).

Search for base64-encoded secrets and high-entropy strings.

Document each finding with file path and line number [HECHO].

Step 2 — OWASP Top 10 Pattern Analysis

Injection: Grep for raw SQL queries, unsanitized user input in commands, template injection.

Broken Auth: Check session management, password hashing algorithms, token expiration.

Sensitive Data Exposure: Find unencrypted PII storage, missing HTTPS enforcement, verbose error messages.

XXE/Deserialization: Check XML parser configs, unsafe deserialization of user input.

Classify each finding by OWASP category with severity [HECHO].

Step 3 — Auth & Access Control Review

Map authentication flow: login, registration, password reset, MFA.

Identify authorization model: RBAC, ABAC, ACL, or ad-hoc.

Check for authorization bypasses: missing middleware, inconsistent checks.

Verify CORS configuration, CSP headers, and cookie security flags.

Assess rate limiting and brute-force protection [HECHO].

Step 4 — Security Posture Report

Classify findings: Critical, High, Medium, Low, Informational.

Map each finding to CWE identifiers where applicable.

Provide specific remediation guidance per finding.

Calculate an overall security score (0-100).

Procedure

Step 1 — Secret Detection

Scan for hardcoded credentials: API keys, passwords, tokens, connection strings in source files.

Check .env files committed to version control.

Verify .gitignore excludes sensitive files (.env, *.pem, *.key).

Search for base64-encoded secrets and high-entropy strings.

Document each finding with file path and line number [HECHO].

Step 2 — OWASP Top 10 Pattern Analysis

Injection: Grep for raw SQL queries, unsanitized user input in commands, template injection.

Broken Auth: Check session management, password hashing algorithms, token expiration.

Sensitive Data Exposure: Find unencrypted PII storage, missing HTTPS enforcement, verbose error messages.

XXE/Deserialization: Check XML parser configs, unsafe deserialization of user input.

Classify each finding by OWASP category with severity [HECHO].

Step 3 — Auth & Access Control Review

Map authentication flow: login, registration, password reset, MFA.

Identify authorization model: RBAC, ABAC, ACL, or ad-hoc.

Check for authorization bypasses: missing middleware, inconsistent checks.

Verify CORS configuration, CSP headers, and cookie security flags.

Assess rate limiting and brute-force protection [HECHO].

Step 4 — Security Posture Report

Classify findings: Critical, High, Medium, Low, Informational.

Map each finding to CWE identifiers where applicable.

Provide specific remediation guidance per finding.

Calculate an overall security score (0-100).

security-surface-scanner

security-surface-scanner

Security Surface Scanner

Guiding Principle

Procedure

Step 1 — Secret Detection

Step 2 — OWASP Top 10 Pattern Analysis

Step 3 — Auth & Access Control Review

Step 4 — Security Posture Report

Quality Criteria

Anti-Patterns

Security Surface Scanner

Guiding Principle

Procedure

Step 1 — Secret Detection

Step 2 — OWASP Top 10 Pattern Analysis

Step 3 — Auth & Access Control Review

Step 4 — Security Posture Report

Quality Criteria

Anti-Patterns