Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.
Detects hardcoded secrets, SQL/command injection, and path traversal vulnerabilities across all programming languages. Triggers on code changes in real-time hooks to block critical security issues before they reach production.
/plugin marketplace add Zate/cc-plugins/plugin install security@cc-pluginsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Universal security patterns applicable to all programming languages.
Detection Pattern:
# API Keys
(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]
# AWS Keys
(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}
# Private Keys
-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
# Generic Secrets
(?i)(password|secret|token|credential)s?\s*[:=]\s*['"][^'"]{8,}['"]
# JWT Secrets
(?i)(jwt[_-]?secret|signing[_-]?key)\s*[:=]\s*['"][^'"]+['"]
Grep Commands:
# API keys
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{16,}['\"]" .
# AWS keys
grep -rn -E "AKIA[A-Z0-9]{16}" .
# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .
# Password assignments
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" .
Severity: High ASVS: V13.3.1 - Secrets not in version control CWE: CWE-798 (Hardcoded Credentials)
Detection Pattern:
# String concatenation in queries
(?i)(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE).*\+\s*[a-zA-Z_]+
# f-string/template queries
(?i)f['"](SELECT|INSERT|UPDATE|DELETE).*\{
# Format string queries
(?i)(SELECT|INSERT|UPDATE|DELETE).*%\s*\(
# String interpolation
(?i)(SELECT|INSERT|UPDATE|DELETE).*\$\{
Grep Commands:
# Python f-string SQL
grep -rn --include="*.py" -E "f['\"]SELECT.*\{|f['\"]INSERT.*\{|f['\"]UPDATE.*\{|f['\"]DELETE.*\{" .
# JavaScript template SQL
grep -rn --include="*.{js,ts}" -E "\`SELECT.*\$\{|\`INSERT.*\$\{|\`UPDATE.*\$\{|\`DELETE.*\$\{" .
# String concatenation SQL (all languages)
grep -rn -E "(SELECT|INSERT|UPDATE|DELETE).*\+.*\+" .
Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)
Detection Pattern:
# Shell execution with variables
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\+
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\$\{
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*f['"]
# Dangerous shell=True
subprocess\.[a-z]+\([^)]*shell\s*=\s*True
Grep Commands:
# Python os.system
grep -rn --include="*.py" -E "os\.system\s*\(.*\+" .
# Python subprocess shell=True
grep -rn --include="*.py" "shell\s*=\s*True" .
# Node.js exec
grep -rn --include="*.{js,ts}" -E "exec\s*\(.*\+" .
# PHP system calls
grep -rn --include="*.php" -E "(system|exec|shell_exec|passthru)\s*\(" .
Severity: Critical ASVS: V1.2.3 - OS command injection prevention CWE: CWE-78 (OS Command Injection)
Detection Pattern:
# Direct path concatenation
(?i)(open|read|write|file|path)\s*\([^)]*\+.*\)
(?i)(open|read|write|file|path)\s*\([^)]*\$\{.*\)
# No path validation
os\.path\.join\s*\([^)]*,[^)]*\)(?!.*resolve|.*is_relative)
Grep Commands:
# Python file operations with variables
grep -rn --include="*.py" -E "open\s*\(.*\+" .
# Node.js file operations
grep -rn --include="*.{js,ts}" -E "(readFile|writeFile|createReadStream)\s*\(.*\+" .
# Check for missing path validation
grep -rn --include="*.py" "os\.path\.join" . | grep -v "resolve\|is_relative"
Severity: High ASVS: V5.4.1 - Path traversal prevention CWE: CWE-22 (Path Traversal)
Detection Pattern:
# Sensitive keys in .env
(?i)(password|secret|token|api[_-]?key|private[_-]?key)\s*=\s*[^\s]+
Grep Commands:
grep -rn -E "(?i)(password|secret|token|api.?key)=" .env* 2>/dev/null
Severity: High ASVS: V13.3.1 - Secrets management CWE: CWE-798 (Hardcoded Credentials)
Detection Pattern:
# Privileged mode
--privileged
privileged:\s*true
# Running as root
USER\s+root
# Exposed secrets
ENV\s+(PASSWORD|SECRET|API_KEY|TOKEN)\s*=
Grep Commands:
grep -rn "privileged" Dockerfile docker-compose.yml 2>/dev/null
grep -rn "USER root" Dockerfile 2>/dev/null
grep -rn -E "ENV.*(PASSWORD|SECRET|API_KEY)" Dockerfile 2>/dev/null
Severity: High ASVS: V13.2.1 - Secure configuration CWE: CWE-250 (Excessive Privilege)
Use this script for rapid vulnerability detection:
#!/bin/bash
# quick-security-scan.sh
echo "=== Quick Security Scan ==="
echo -e "\n[1] Hardcoded Secrets"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(api[_-]?key|password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" . 2>/dev/null | head -20
echo -e "\n[2] SQL Injection Patterns"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(SELECT|INSERT|UPDATE|DELETE).*\+" . 2>/dev/null | head -20
echo -e "\n[3] Command Injection"
grep -rn --include="*.py" "shell\s*=\s*True" . 2>/dev/null
grep -rn --include="*.{js,ts}" -E "exec\s*\(|spawn\s*\(" . 2>/dev/null | head -10
echo -e "\n[4] Unsafe Deserialization"
grep -rn --include="*.py" "pickle\.load\|yaml\.load" . 2>/dev/null
grep -rn --include="*.java" "ObjectInputStream\|readObject" . 2>/dev/null
echo -e "\n[5] Weak Cryptography"
grep -rn --include="*.{py,java,go}" -E "md5|sha1|DES|RC4" . 2>/dev/null | head -10
echo -e "\n[6] Debug/Dev Settings"
grep -rn --include="*.py" "DEBUG\s*=\s*True" . 2>/dev/null
grep -rn "NODE_ENV.*development" . 2>/dev/null
echo -e "\n=== Scan Complete ==="
When using these patterns in PreToolUse hooks:
| Severity | Action | Response Time |
|---|---|---|
| Critical | Block | Immediate |
| High | Block/Warn | Immediate |
| Medium | Warn | Deferred |
| Low | Log | Async |
vuln-patterns-languages - Language-specific patternsremediation-injection - SQL/command injection fixesremediation-auth - Secrets management fixes