Security Scanner
Overview
This skill performs a security audit on the current project using Trivy (if available) or a lightweight internal scanner. It detects vulnerabilities, secrets, and dangerous patterns.
Capabilities
- Advanced Scan (via Trivy)
If trivy is installed, this skill leverages it for enterprise-grade auditing:
-
Vulnerabilities (SCA): Checks package.json , go.mod , requirements.txt , etc., for known CVEs.
-
Misconfigurations (IaC): Scans Dockerfiles, Terraform, and Kubernetes manifests for security best practices.
-
Secret Scanning: Deep inspection for leaked API keys and tokens.
-
License Compliance: Checks for license risks in dependencies.
- Lightweight Scan (Fallback)
If trivy is missing, it falls back to a fast, pattern-based internal scanner:
-
Secret Detection: AWS keys, GitHub tokens, generic secrets.
-
Dangerous Code: eval() , dangerouslySetInnerHTML , command injection risks.
-
PII Leakage Audit: Identifies potential logging of sensitive data (emails, PII) based on Modern SRE Best Practices.
Usage
Run the scanner from the root of your project.
node dist/index.js
Configuration
-
Trivy: Uses default settings.
-
Internal Scanner:
-
Proprietary Patterns: Automatically checks knowledge/confidential/skills/security-scanner/ for internal regex rules. These rules are prioritized over general ones to detect company-specific security risks.
-
General Patterns: Uses knowledge/security/scan-patterns.yaml .
Knowledge Protocol
- This skill adheres to the knowledge/orchestration/knowledge-protocol.md . It automatically integrates Public, Confidential (Company/Client), and Personal knowledge tiers, prioritizing the most specific secrets while ensuring no leaks to public outputs. \n## Governance Alignment\n\n- This skill aligns with IPA non-functional standards and FISC security guidelines to ensure enterprise-grade compliance.