Skill: Vulnerability Scan

Purpose

Scan code for security vulnerabilities, identifying potential attack vectors and providing remediation guidance.

When to Use

• Pre-deployment security checks
• Code review for security concerns
• Security audit preparation
• After dependency updates
• New feature implementation review
• Periodic security assessments

---

Vulnerability Categories

OWASP Top 10 Coverage

Category	ID	Description	Detection Method
Injection	A03	SQL, NoSQL, OS, LDAP injection	Pattern matching, taint analysis
Broken Auth	A07	Authentication/session flaws	Flow analysis
Sensitive Data	A02	Exposure of sensitive data	Data flow tracking
XXE	A05	XML external entity attacks	Parser configuration check
Access Control	A01	Authorization failures	Access pattern analysis
Misconfig	A05	Security misconfiguration	Config analysis
XSS	A03	Cross-site scripting	Output encoding check
Deserialization	A08	Insecure deserialization	Type checking
Components	A06	Vulnerable dependencies	Version checking
Logging	A09	Insufficient logging	Audit coverage

---

Scan Process

Phase 1: Static Analysis

## Static Security Scan

### Code Patterns Checked
1. **Input Validation**
   - Unvalidated user input
   - Missing sanitization
   - Type coercion issues

2. **Authentication**
   - Hardcoded credentials
   - Weak password handling
   - Session management flaws

3. **Authorization**
   - Missing access checks
   - Privilege escalation paths
   - IDOR vulnerabilities

4. **Data Handling**
   - Sensitive data in logs
   - Unencrypted storage
   - Insecure transmission

Phase 2: Dependency Analysis

## Dependency Vulnerability Check

### Package Analysis
- Known CVEs in dependencies
- Outdated packages with fixes
- Abandoned/unmaintained packages
- License compliance issues

Phase 3: Configuration Review

## Configuration Security

### Areas Checked
- Default credentials
- Debug mode settings
- CORS configuration
- Security headers
- TLS/SSL settings
- Cookie attributes

---

Vulnerability Report Template

## Security Vulnerability Report

**Scan Date:** {{date}}
**Target:** {{target}}
**Scan Type:** {{type}}
**Tool Version:** {{version}}

### Executive Summary
- **Total Vulnerabilities:** {{total}}
- **Critical:** {{critical}}
- **High:** {{high}}
- **Medium:** {{medium}}
- **Low:** {{low}}

---

### Critical Vulnerabilities

#### VULN-001: {{title}}
**Severity:** Critical
**CWE:** CWE-{{number}}
**CVSS:** {{score}}

**Location:**
- File: `{{file}}`
- Line: {{line}}

**Description:**
{{description}}

**Vulnerable Code:**
```{{language}}
{{code_snippet}}

Proof of Concept: {{poc_description}}

Remediation: {{fix_description}}

Fixed Code:

{{fixed_code}}

References:

• {{reference_links}}

---

High Vulnerabilities

...

Medium Vulnerabilities

...

Low Vulnerabilities

...

---

Remediation Roadmap

Priority	Vulnerability	Effort	Owner	Target Date
1	VULN-001	2h	TBD	Immediate
2	VULN-002	4h	TBD	This sprint
...

Metrics

• Mean Time to Remediate (Target): Critical <24h, High <1 week
• Scan Coverage: {{coverage}}%
• False Positive Rate: {{fp_rate}}%

---

## Language-Specific Checks

### JavaScript/TypeScript

| Vulnerability | Pattern | Example |
|--------------|---------|---------|
| Prototype pollution | `obj[userInput]` | `target[key] = value` |
| eval injection | `eval(userInput)` | `eval(code)` |
| DOM XSS | `innerHTML = userInput` | `el.innerHTML = data` |
| Path traversal | Path without validation | `fs.readFile(userPath)` |

### Python

| Vulnerability | Pattern | Example |
|--------------|---------|---------|
| Command injection | `os.system(userInput)` | `os.system(cmd)` |
| SQL injection | f-string in query | `f"SELECT * WHERE id={id}"` |
| Pickle RCE | Unpickling user data | `pickle.loads(data)` |
| YAML load | Unsafe YAML load | `yaml.load(data)` |

### Java

| Vulnerability | Pattern | Example |
|--------------|---------|---------|
| SQL injection | String concat in query | `"SELECT * WHERE id=" + id` |
| XXE | Default XML parser | `DocumentBuilder.parse(input)` |
| Deserialization | ObjectInputStream | `ois.readObject()` |
| Path traversal | File with user path | `new File(userPath)` |

---

## Integration Points

### CI/CD Integration

```yaml
# GitHub Actions example
security-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v3
    - name: Security Scan
      run: |
        # Invoke vulnerability scan skill
        # Fail on critical/high findings
      continue-on-error: false

Pre-commit Hook

#!/bin/bash
# Run security scan on staged files
STAGED_FILES=$(git diff --cached --name-only)
# Scan staged files for vulnerabilities
# Block commit if critical issues found

---

Agents Using This Skill

• Senior Developer - During code review
• DevOps Engineer - CI/CD integration
• Software Architect - Security architecture review

Related Skills

• security-secret-scan - Credential detection
• security-compliance-check - Standards compliance
• security-dependency-audit - Dependency vulnerabilities
• analysis-code - General code analysis

MCP Tools Used

• None (analysis skill - no external tools required)
• Results can be logged via jira-comment-logging or confluence-technical-docs