Skill

source-code-scanning

Scans source code for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in dependencies/packages, hardcoded secrets, malicious code, and insecure patterns.

Semgrep

Python

Javascript

Java

security

npx claudepluginhub transilienceai/communitytools

Tool Access

This skill uses the workspace's default tool permissions.

Preview

1. **Identify** - languages, frameworks, package managers present

Supporting Assets

reference/dependency-cve-scanning.mdreference/language-patterns.mdreference/malicious-code.mdreference/manual-review.mdreference/sast-tools.mdreference/secrets-detection.md

SKILL.md

Similar Skills

security-review

29.8k

Scans codebases for vulnerabilities like injections, XSS, secrets exposure, insecure deps, and access control flaws across JavaScript, TypeScript, Python, Java, PHP, Go, Ruby, Rust.

5 files

awesome-copilot-refactor

performing-security-code-review

1.9k

Scans codebases for vulnerabilities like SQL injection, XSS, auth flaws, insecure deps, and secrets using grep and bash. Generates severity-rated reports with file locations, explanations, and fixes.

7 files6 tools

security-agent

scan

Scans code for security vulnerabilities like auth bypass, injection, IDOR, mass assignment, race conditions, secrets, and insecure defaults. Audits Node.js/Python dependencies.

1 file5 tools

universe

Stats

Stars223

Forks44

Last CommitApr 14, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Source Code Security Review

Quick Start

Identify - languages, frameworks, package managers present
Automated SAST - run tools appropriate to the stack
Dependency CVEs - scan lockfiles/manifests for known CVEs
Secrets scan - detect hardcoded credentials/tokens
Manual review - trace high-risk sinks (exec, eval, query, deserialize)
Malicious code - check for backdoors, obfuscation, suspicious network calls
Report - findings with CWE/CVE refs, severity, PoC, remediation

Workflow

Phase 1: Enumerate

- Languages: ls **/*.{py,js,ts,java,go,rb,php,cs,rs}
- Packages: find package.json, requirements.txt, go.mod, pom.xml, Gemfile, composer.json, Cargo.toml
- Entry points: main(), index.*, app.*, server.*
- Config files: .env*, config.*, settings.*, *.yaml, *.toml

Phase 2: Automated SAST

See sast-tools.md for commands per language.

Key tools:

Multi-language: Semgrep (semgrep --config=auto .)
Python: Bandit (bandit -r . -f json)
JavaScript/TS: ESLint security plugin, njsscan
Java: SpotBugs + FindSecBugs
Go: gosec (gosec ./...)
PHP: PHPCS Security Audit
Ruby: Brakeman (brakeman -o report.json)
All: CodeQL (via gh codeql)

Phase 3: Dependency CVE Scan

See dependency-cve-scanning.md for commands.

Ecosystem	Command
npm/yarn	`npm audit --json` / `yarn audit`
Python	`pip-audit -r requirements.txt`
Java	`dependency-check --scan .`
Go	`govulncheck ./...`
Ruby	`bundle audit`
Generic	`trivy fs .` / `grype dir:.`

Phase 4: Secrets Detection

See secrets-detection.md.

trufflehog filesystem . --json
gitleaks detect --source . -v

Phase 5: Manual Review

Focus on high-risk sinks — see manual-review.md:

Injection sinks: exec, eval, query, system, popen
Deserialization: pickle.loads, ObjectInputStream, unserialize
Crypto: hardcoded keys, weak algorithms (MD5, SHA1, DES, ECB)
Auth: JWT validation, session management, RBAC enforcement
File ops: path construction with user input

Phase 6: Malicious Code

See malicious-code.md:

Obfuscated strings (base64, hex, charCode)
Unexpected network calls in library code
Typosquatting indicators
Postinstall/lifecycle script abuse
Hidden backdoors in dependencies

Language-Specific Patterns

See language-patterns.md for Python, JS, Java, Go, PHP, Ruby.

Severity Mapping

Severity	CVSS	Examples
Critical	9.0+	RCE, SQLi with exfil, auth bypass
High	7.0-8.9	Stored XSS, SSRF, insecure deserialization
Medium	4.0-6.9	Reflected XSS, info disclosure, IDOR
Low	0.1-3.9	Missing headers, verbose errors

Output Format

findings/
  <severity>-<vuln-type>-<location>.md   # One file per finding
evidence/
  <tool>-output.json                      # Raw tool output
summary-report.md                         # Executive summary

Each finding: CWE/CVE ID | File:Line | Severity | PoC | Remediation

Mobile App Analysis (APK/IPA)

When given a mobile app binary:

Extract: unzip app.apk -d extracted/ (APKs are ZIP archives)
Identify framework: React Native (assets/index.android.bundle), Flutter (libflutter.so), Xamarin, or native
React Native: JS bundle is plaintext — search for secrets, API keys, config objects, hardcoded tokens
Encoded secrets: Search for base64 prefixes of known flag/secret formats (e.g., SFRC = base64 of HTB). Config objects often store secrets as base64 in debug, secret, apiKey fields
Native: Use jadx for Java/Kotlin decompilation, check AndroidManifest.xml, strings.xml, BuildConfig
Shared libs: Check .so files with strings for hardcoded credentials

Critical Rules

Never execute untrusted code during review
Treat all findings as potential until verified
Always cross-reference CVEs against actual version in use
Report supply chain issues separately (they affect all users)