Security Scanning
Automate vulnerability detection in code and dependencies.
Dependency Scanning
JavaScript (npm)
Run audit
npm audit --json > security-audit.json
Check severity counts
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical') HIGH=$(npm audit --json | jq '.metadata.vulnerabilities.high')
if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then echo "🚨 $CRITICAL critical, $HIGH high vulnerabilities" fi
Auto-fix
npm audit fix
Python (pip-audit)
pip-audit --format=json > security-audit.json
Using safety
safety check --json > security-audit.json
Static Analysis (SAST)
Semgrep
Run with security rules
semgrep --config=auto --json > semgrep-results.json
Count findings
CRITICAL=$(cat semgrep-results.json | jq '[.results[] | select(.extra.severity == "ERROR")] | length')
Bandit (Python)
bandit -r . -f json -o bandit-report.json
HIGH=$(cat bandit-report.json | jq '[.results[] | select(.issue_severity == "HIGH")] | length')
Secret Detection
TruffleHog
trufflehog git file://. --json > secrets-scan.json
Gitleaks
gitleaks detect --source . --report-format json
Check results
SECRET_COUNT=$(cat secrets-scan.json | jq '. | length') if [ "$SECRET_COUNT" -gt 0 ]; then echo "🚨 $SECRET_COUNT secrets detected!" fi
Container Scanning
Trivy
trivy image myapp:latest --format json > trivy-scan.json
CRITICAL=$(cat trivy-scan.json | jq '[.Results[].Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length')
Pre-commit Hooks (2026 Best Practice)
Shift-left security by catching issues before commit:
.pre-commit-config.yaml
repos:
Secret detection - MUST HAVE
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
Python security
- repo: https://github.com/PyCQA/bandit
rev: 1.7.7
hooks:
- id: bandit args: ["-c", "pyproject.toml", "-r", "."] exclude: ^tests/
Semgrep for SAST
- repo: https://github.com/semgrep/semgrep
rev: v1.52.0
hooks:
- id: semgrep args: ["--config", "auto", "--error"]
Detect AWS credentials, private keys
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets args: ["--baseline", ".secrets.baseline"]
Install and setup
pip install pre-commit pre-commit install
Run on all files (first time)
pre-commit run --all-files
Update hooks to latest versions
pre-commit autoupdate
Baseline for detect-secrets (ignore false positives):
Generate baseline
detect-secrets scan > .secrets.baseline
Audit false positives
detect-secrets audit .secrets.baseline
CI Integration
GitHub Actions
- name: Security scan run: | npm audit --json > audit.json CRITICAL=$(jq '.metadata.vulnerabilities.critical' audit.json) if [ "$CRITICAL" -gt 0 ]; then echo "::error::Critical vulnerabilities found" exit 1 fi
Escalation Thresholds
Severity Threshold Action
Critical Any BLOCK
High
5 BLOCK
Moderate
20 WARNING
Low
50 WARNING
Evidence Recording
context.quality_evidence.security_scan = { executed: true, tool: 'npm audit', critical: 2, high: 5, moderate: 10, timestamp: new Date().toISOString() };
Key Decisions
Decision Recommendation
JS dependencies npm audit
Python dependencies pip-audit
Code analysis Semgrep
Secrets TruffleHog or Gitleaks
Pre-commit gitleaks + detect-secrets
Shift-left Always use pre-commit hooks
Common Mistakes
-
Ignoring audit warnings
-
No CI integration
-
Not blocking on critical
-
Missing secret scanning
Related Skills
-
owasp-top-10
-
Vulnerability context
-
devops-deployment
-
CI/CD integration
-
code-review-playbook
-
Review process
Capability Details
dependency-scanning
Keywords: npm audit, pip-audit, dependency, vulnerability Solves:
-
Scan npm dependencies
-
Audit Python packages
-
Find vulnerable dependencies
secret-detection
Keywords: secret, credential, api key, trufflehog, gitleaks Solves:
-
Detect secrets in code
-
Scan for API keys
-
Find exposed credentials
api-security-audit
Keywords: api, audit, security, example Solves:
-
API security audit example
-
Security review checklist
-
Real audit walkthrough
audit-template
Keywords: template, audit, report, security Solves:
-
Security audit template
-
Audit report structure
-
Copy-paste audit format