Security Scanner

Purpose: Scan a codebase for security vulnerabilities following OWASP Top 10 and common CVE patterns. Produces an actionable report with severity rankings.

Invocation

/security-scan [path] [--severity critical|high|medium|all]

Default: scan entire project, report all severities.

Vulnerability Categories

A01: Broken Access Control

• Missing auth middleware on protected routes
• Direct object reference without ownership check
• CORS misconfiguration (Access-Control-Allow-Origin: *)
• Missing CSRF tokens on state-changing operations

A02: Cryptographic Failures

• Hardcoded secrets, API keys, tokens in source
• Weak hashing (MD5, SHA1 for passwords)
• Missing HTTPS enforcement
• Sensitive data in URL parameters or logs

A03: Injection

• SQL injection via string interpolation
• NoSQL injection through unsanitized query objects
• OS command injection via exec(), spawn() with user input
• LDAP, XPath, or template injection

A04: Insecure Design

• Missing rate limiting on auth endpoints
• No account lockout after failed attempts
• Password reset tokens without expiry
• Predictable resource IDs

A05: Security Misconfiguration

• Debug mode enabled in production config
• Default credentials in configuration files
• Verbose error messages exposing stack traces
• Unnecessary HTTP methods enabled

A07: Cross-Site Scripting (XSS)

• Unescaped user input rendered as HTML
• dangerouslySetInnerHTML without sanitization
• Event handler injection through user-controlled attributes
• SVG/XML injection

A08: Software and Data Integrity

• Dependencies with known CVEs (check package-lock.json)
• Missing integrity checks on CDN resources
• Unsigned or unverified updates

A09: Logging & Monitoring Failures

• Sensitive data in log output (passwords, tokens, PII)
• Missing audit logging for admin operations
• No rate limit logging

Scan Process

1. File Discovery — Glob for source files (.ts, .js, .py, .go, .rb, .java)
2. Pattern Matching — AST-aware scan for vulnerability patterns
3. Dependency Audit — Check package-lock.json / requirements.txt against advisory databases
4. Secret Detection — Regex scan for API keys, tokens, passwords
5. Configuration Review — Check env files, Docker configs, CI/CD pipelines

Output Format

🔴 CRITICAL | A03:Injection | src/api/users.ts:42
  SQL query built with string concatenation using user input.
  Fix: Use parameterized query: db.query('SELECT * FROM users WHERE id = $1', [userId])

🟡 MEDIUM | A02:Crypto | .env.example:3
  Example env file contains what appears to be a real API key.
  Fix: Replace with placeholder value: API_KEY=your-api-key-here

Summary Report