name: security-scan
description: Deep security analysis of codebase. Scans for secrets, vulnerabilities, and insecure patterns.
context: fork
agent: Explore
allowed-tools: Read, Grep, Glob, Bash(git log ), Bash(pip-audit), Bash(npm audit), Bash(find * -name )
disable-model-invocation: true

Security Scan Instructions

Perform a comprehensive security scan on the codebase.

1. Secrets Detection

Search for exposed credentials:
- API keys and tokens (AWS, GCP, Stripe, etc.)
- Passwords and secrets
- Private keys and certificates
- Connection strings
- Environment variable references in code

Patterns to Search

- password=
- api_key=
- secret=
- token=
- private_key
- -----BEGIN.*PRIVATE KEY-----
- AKIA[A-Z0-9]{16}  # AWS Access Key
- sk_live_  # Stripe
- ghp_  # GitHub Personal Token

2. Dependency Vulnerabilities

Check for vulnerable dependencies:
- Run: pip-audit (Python) or npm audit (JS)
- Check for CVEs in dependencies
- Identify outdated packages with known vulnerabilities

3. Code Vulnerabilities

Scan for:
- SQL/NoSQL injection: Unparameterized queries
- Command injection: Unsafe shell execution
- XSS vulnerabilities: Unsanitized user input in HTML
- Path traversal: Unchecked file paths
- Insecure deserialization: Unsafe pickle/yaml loading
- Hardcoded credentials: Passwords in source

4. Configuration Issues

Check for:
- Debug mode in production configs
- Permissive CORS settings
- Missing security headers
- Insecure default values

Dynamic Context

• Package files: !find . -name "package.json" -o -name "requirements.txt" -o -name "Gemfile" -o -name "go.mod" 2>/dev/null | head -10
• Potential secrets: !grep -r -l "password\|secret\|api_key\|token" --include="*.py" --include="*.js" --include="*.ts" --include="*.env*" 2>/dev/null | head -5

Output Format

Return a JSON security report:

{
  "audit_summary": "Overall security assessment",
  "risk_level": "low|medium|high|critical",
  "findings": [
    {
      "id": "SEC-001",
      "title": "Hardcoded API Key Found",
      "severity": "critical",
      "category": "secrets",
      "file": "config/settings.py",
      "line": 15,
      "description": "AWS access key hardcoded in source file",
      "evidence": "AWS_ACCESS_KEY = 'AKIA...'",
      "remediation": "Move to environment variables or secrets manager",
      "cwe": "CWE-798"
    }
  ],
  "recommendations": [
    "Enable secret scanning in CI/CD",
    "Implement dependency vulnerability scanning"
  ],
  "dependencies_checked": true,
  "files_scanned": 42
}

Severity Ratings

• Critical: Immediate exploitation risk, data breach potential
• High: Significant security weakness, should fix soon
• Medium: Security concern, plan to address
• Low: Minor issue or best practice suggestion

$ARGUMENTS