Security Lint & Threat Detector
When to use this skill
-
User asks to scan code for security issues
-
User mentions OWASP vulnerabilities
-
User wants to find leaked credentials or secrets
-
User asks about XSS, SQL injection, or CSRF risks
-
User wants to audit code before deployment
Workflow
-
Identify files to scan (changed or full codebase)
-
Run automated security scanners
-
Perform pattern-based detection
-
Categorize findings by severity
-
Provide remediation suggestions
-
Generate security report
Instructions
Step 1: Identify Scan Scope
For changed files:
git diff --cached --name-only --diff-filter=ACMR | grep -E '.(js|jsx|ts|tsx|py|rb|php|java|go)$'
For full codebase:
find src -type f ( -name ".ts" -o -name ".tsx" -o -name ".js" -o -name ".jsx" )
Step 2: Run Security Scanners
JavaScript/TypeScript — npm audit:
npm audit --json
JavaScript/TypeScript — Snyk (if available):
npx snyk test --json
ESLint security plugin:
npx eslint --plugin security --rule 'security/*: error' <files>
Semgrep (multi-language):
npx @semgrep/semgrep --config=auto --json .
Gitleaks (secrets detection):
gitleaks detect --source . --report-format json
Step 3: Pattern-Based Detection
Scan for these high-risk patterns:
Credential Leakage
Pattern Risk Regex
API keys Critical ['"]?(api[_-]?key|apikey)['"]?\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]
AWS keys Critical AKIA[0-9A-Z]{16}
Private keys Critical -----BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY-----
Passwords High ['"]?(password|passwd|pwd)['"]?\s*[:=]\s*['"][^'"]{4,}['"]
Tokens High ['"]?(token|secret|auth)['"]?\s*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]
Connection strings High (mongodb|postgres|mysql)://[^:]+:[^@]+@
grep -rn --include=".{ts,js,tsx,jsx,json,env}" -E "AKIA[0-9A-Z]{16}" . grep -rn --include=".{ts,js,tsx,jsx}" -E "(api[_-]?key|apikey)\s*[:=]\s*['"][^'"]{16,}['"]" .
Unsafe Code Patterns
Pattern Risk Detection
eval()
Critical Direct code execution
dangerouslySetInnerHTML
High XSS vulnerability in React
v-html
High XSS vulnerability in Vue
innerHTML assignment High DOM-based XSS
document.write
High DOM manipulation risk
new Function()
High Dynamic code execution
child_process.exec
High Command injection risk
sql
- string concat Critical SQL injection
http:// URLs Medium Insecure transport
grep -rn --include=".{ts,js,tsx,jsx}" -E "\beval\s(" . grep -rn --include=".tsx" "dangerouslySetInnerHTML" . grep -rn --include=".vue" "v-html" . grep -rn --include=".{ts,js}" -E ".exec\s(.*${" .
OWASP Top 10 Checks
OWASP Vulnerability What to look for
A01 Broken Access Control Missing auth checks, direct object refs
A02 Cryptographic Failures Weak algorithms (MD5, SHA1), hardcoded keys
A03 Injection SQL/NoSQL/Command injection patterns
A04 Insecure Design Missing rate limiting, no input validation
A05 Security Misconfiguration CORS *, debug modes, default creds
A06 Vulnerable Components Outdated dependencies
A07 Auth Failures Weak password rules, session issues
A08 Data Integrity Unsafe deserialization, unverified updates
A09 Logging Failures Sensitive data in logs, missing audit
A10 SSRF Unvalidated URL fetches
Step 4: Categorize Findings
Severity levels:
Level Examples Action
Critical Exposed secrets, RCE, SQL injection Block deployment
High XSS, CSRF, auth bypass Fix before merge
Medium Insecure cookies, weak crypto Fix in sprint
Low Info disclosure, best practices Track for later
Step 5: Generate Report
Format findings clearly:
Security Scan Report
Critical (2)
1. Hardcoded API Key
- File: src/api/client.ts:42
- Pattern:
apiKey = "sk_live_..." - Risk: Credential exposure in source control
- Fix: Move to environment variable
// Before
const apiKey = "sk_live_abc123...";
// After
const apiKey = process.env.API_KEY;
- SQL Injection Risk
-
File: src/db/users.ts:23
-
Pattern: String concatenation in query
-
Risk: SQL injection allows data theft
-
Fix: Use parameterized queries
// Before
db.query(SELECT * FROM users WHERE id = ${userId});
// After db.query("SELECT * FROM users WHERE id = $1", [userId]);
High (1)
- XSS via dangerouslySetInnerHTML
-
File: src/components/Article.tsx:15
-
Risk: User content rendered as HTML
-
Fix: Sanitize with DOMPurify
import DOMPurify from "dompurify"; <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }} />;
Summary
Severity Count
Critical 2
High 1
Medium 3
Low 5
Common Remediation Patterns
Environment variables for secrets:
// Use dotenv or platform env
const secret = process.env.SECRET_KEY;
if (!secret) throw new Error('SECRET_KEY required');
Parameterized queries:
// Prisma (safe by default)
await prisma.user.findUnique({ where: { id: userId } });
// Raw SQL with parameters
await db.query("SELECT * FROM users WHERE id = $1", [userId]);
XSS prevention:
// React - avoid dangerouslySetInnerHTML
// If needed, sanitize first
import DOMPurify from "dompurify";
const clean = DOMPurify.sanitize(userContent);
CSRF protection:
// Use CSRF tokens in forms
<input type="hidden" name="_csrf" value={csrfToken} />
// Validate on server
if (req.body._csrf !== req.session.csrfToken) {
throw new Error('CSRF validation failed');
}
Secure headers:
// Next.js next.config.js
const securityHeaders = [
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-XSS-Protection", value: "1; mode=block" },
{
key: "Strict-Transport-Security",
value: "max-age=31536000; includeSubDomains",
},
];
Validation
Before completing:
- All critical issues addressed
- High severity issues have remediation plan
- No secrets in committed code
- Dependencies updated for known CVEs
- Security headers configured
Error Handling
- Scanner not installed: Run npm install -g <tool>
or use npx.
- Too many results: Filter by severity or scope to changed files.
- False positives: Review context before reporting; exclude test fixtures.
- Unsure about severity: Default to higher severity; security errs on caution.
Resources
- OWASP Top 10
- OWASP Cheat Sheet Series
- Semgrep Rules
- Snyk Vulnerability DB