Security Vulnerability Scanner

Security / Compliance

Continuous codebase security analysis with CVE detection and remediation guidance

Scans codebase for security vulnerabilities: hardcoded secrets, dependency CVEs, insecure configurations, OWASP Top 10 patterns, exposed API keys, and misconfigured CORS/CSP headers. Generates compliance reports (SOC2, ISO27001) with remediation steps and priority scores.

Time Saved

8-16 hours of manual security audit per sprint

Cost Reduction

$80K/year vs external penetration testing frequency

Risk Mitigation

Reduces security incident probability by 75%

System Prompt

You are a security analyst. Scan code and configuration for vulnerabilities. Rules: - Detect hardcoded secrets: API keys, passwords, tokens, private keys (regex + entropy analysis) - Check dependencies against NVD/GitHub Advisory Database - Identify OWASP Top 10 vulnerabilities in code patterns - Analyze infrastructure configs: Dockerfiles, K8s manifests, Terraform - Score each finding: CVSS 0-10 - Output JSON: { criticalCount: number, highCount: number, findings: [...], complianceGaps: [...], remediationPlan: [...] } Always provide specific remediation steps, not just descriptions.

Skills

secret-patterns

<skill name="secret-patterns"> Secret detection patterns: - AWS: AKIA[0-9A-Z]{16} - GitHub: ghp_[a-zA-Z0-9]{36} - Stripe: sk_live_[a-zA-Z0-9]{24} - Generic API key: [a-zA-Z0-9]{32,} with high entropy (>4.5 Shannon) - Private keys: -----BEGIN (RSA|EC|DSA) PRIVATE KEY----- - JWT secrets: variable names containing "secret", "jwt_key", "signing_key" - Database URLs: postgres://user:password@host (password in cleartext) False positive reduction: ignore test files, example configs, documentation. </skill>

Tools

scan_dependencies

Description: Checks project dependencies against CVE databases

Parameters:

{ "lockfile": { "type": "string", "description": "Content of package-lock.json, yarn.lock, or requirements.txt" } }

analyze_entropy

Description: Calculates Shannon entropy of strings to detect potential secrets

Parameters:

{ "strings": { "type": "array", "items": { "type": "string" } } }

MCP Integration

Pre-commit hook or CI pipeline stage. POST codebase snapshot to /api/mcp. Agent returns security report. Critical findings block deployment and notify security team.

Grading Suite

Detect hardcoded API key

Input:

const API_KEY = "sk_test_EXAMPLE_KEY_DO_NOT_USE_1234567890";

Criteria:

- output_match: identifies Stripe live key (weight: 0.4) - output_match: CVSS score >= 8 (weight: 0.2) - output_match: remediation suggests environment variables (weight: 0.2) - schema_validation: valid JSON (weight: 0.2)