security-scan

Use when you need comprehensive security scanning across applications, infrastructure, and dependencies with LLM-based analysis

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-scan" with this command: npx skills add wojons/skills/wojons-skills-security-scan

Security Scanning

Perform comprehensive security scanning across your entire stack including applications, infrastructure, containers, dependencies, and cloud environments. This skill integrates LLM-based security analysis with industry-standard tools to identify vulnerabilities, misconfigurations, and security weaknesses.

When to use me

Use this skill when:

  • You need a complete security assessment of your application and infrastructure
  • You want to integrate multiple security scanning tools into a unified workflow
  • You need LLM-powered analysis to identify complex security issues
  • You're preparing for security audits or compliance certifications
  • You want to establish baseline security scanning in CI/CD pipelines
  • You need to scan across multiple environments (cloud, containers, infrastructure)

What I do

  • LLM-based security analysis: Use AI to identify complex security patterns, business logic flaws, and novel vulnerabilities
  • Integrated tool ecosystem: Orchestrate OWASP ZAP, Snyk, Trivy, Nessus, and other security scanners
  • Multi-layer scanning: Application (SAST/DAST), infrastructure (IaC scanning), containers, dependencies, cloud configurations
  • Vulnerability correlation: Correlate findings across different scanning tools to prioritize critical issues
  • Compliance mapping: Map vulnerabilities to compliance frameworks (SOC 2, ISO 27001, HIPAA, GDPR)
  • Remediation guidance: Provide specific, actionable remediation steps for each finding
  • Risk scoring: Calculate risk scores based on CVSS, exploit availability, and business impact

Examples

# Run comprehensive security scan
./scripts/security-scan.sh --target https://app.example.com

# Scan Docker containers
./scripts/security-scan.sh --container myapp:latest

# Scan infrastructure as code
./scripts/security-scan.sh --iac terraform/

# Generate compliance report
./scripts/security-scan.sh --compliance soc2

# LLM-powered security analysis
./scripts/security-scan.sh --llm-analysis --context "Payment processing system"

Output format

Security Scan Report
─────────────────────────────────────
Scan Date: 2025-01-15T10:30:00Z
Target: https://app.example.com
Scan Duration: 2m 45s

CRITICAL FINDINGS (3):
────────────────────────
❌ SQL Injection in /api/users endpoint
   Risk: Critical (CVSS 9.8)
   Detection: OWASP ZAP + LLM analysis
   Remediation: Use parameterized queries, implement input validation
   Compliance Impact: PCI DSS 6.5.1, OWASP A1

❌ Hard-coded AWS credentials in config file
   Risk: Critical (CVSS 8.9)
   Detection: TruffleHog + LLM pattern matching
   Remediation: Move to AWS Secrets Manager, rotate credentials
   Compliance Impact: SOC 2 CC6.1, ISO 27001 A.9.4.1

❌ Unpatched vulnerability in nginx:1.18 (CVE-2021-23017)
   Risk: Critical (CVSS 9.1)
   Detection: Trivy container scan
   Remediation: Upgrade to nginx 1.20+, apply security patches
   Compliance Impact: PCI DSS 6.2, ISO 27001 A.12.6.1

HIGH FINDINGS (8):
───────────────────
⚠️ Missing Content Security Policy header
⚠️ Excessive permissions in IAM role (AdminAccess)
⚠️ Outdated OpenSSL library (CVE-2022-2068)
⚠️ Docker container running as root
⚠️ API endpoint without rate limiting
⚠️ Sensitive data in application logs
⚠️ Missing MFA for administrative access
⚠️ Unencrypted S3 bucket

MEDIUM/LOW FINDINGS (14):
──────────────────────────
ℹ️ Security headers missing (X-Frame-Options, X-Content-Type-Options)
ℹ️ Verbose error messages revealing system information
ℹ️ Session timeout too long (24 hours)
ℹ️ Cross-site request forgery (CSRF) protection missing

LLM SECURITY ANALYSIS:
──────────────────────
🔍 Business Logic Vulnerabilities:
   • Payment amount manipulation possible in checkout flow
   • Privilege escalation via IDOR in admin panel
   • Race condition in inventory reservation system

🔍 Architectural Security Issues:
   • Monolithic architecture increases attack surface
   • Lack of network segmentation between tiers
   • Insufficient logging for security events

🔍 Compliance Gaps:
   • Missing data retention policy implementation
   • Inadequate incident response procedures
   • Insufficient employee security training documentation

SUMMARY:
────────
Total Findings: 25
Critical: 3 | High: 8 | Medium: 9 | Low: 5
Risk Score: 78/100 (High Risk)
Compliance Status: 65% compliant with SOC 2

RECOMMENDATIONS:
────────────────
1. IMMEDIATE ACTION: Fix 3 critical vulnerabilities within 24 hours
2. PRIORITY: Address 8 high-risk issues within 7 days
3. IMPROVEMENTS: Implement security controls for medium/low issues
4. ARCHITECTURAL: Consider microservices segmentation, zero-trust network
5. PROCESS: Establish security training program, incident response plan

Notes

  • Integrates with existing CI/CD pipelines and security tools
  • LLM analysis requires careful validation to avoid false positives
  • Different scanning tools may have different licensing requirements
  • Some scanners require authentication tokens or API keys
  • Always validate findings before taking remediation actions
  • Consider running scans during off-peak hours to minimize performance impact
  • Regular scanning (daily/weekly) recommended for production systems
  • Keep scanning tools updated to detect latest vulnerabilities

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

accessibility-audit

No summary provided by upstream source.

Repository SourceNeeds Review
18-wojons
Security

testing-security

No summary provided by upstream source.

Repository SourceNeeds Review
18-wojons
General

adversarial-thinking

No summary provided by upstream source.

Repository SourceNeeds Review
23-wojons
General

redteam

No summary provided by upstream source.

Repository SourceNeeds Review
23-wojons