Scan code for security issues: dependency vulnerabilities (npm/pip audit), secret leaks (regex and entropy analysis), and OWASP anti-patterns like SQL injection, XSS, or command injection. Use when the user mentions security scans, vulnerability detection, secret leaks, API keys, OWASP, npm audit, pip-audit, hardcoded passwords, or code security checks.
Install with the open skills CLI (global, non-interactive — available in every Claude Code session):
npx skills add zebbern/claude-code-guide --skill "code-vuln-audit" -g -a claude-code -yOr manually — clone and copy the skill directory (SKILL.md + companion files):
git clone --depth 1 https://github.com/zebbern/claude-code-guide /tmp/claude-code-guide && cp -r /tmp/claude-code-guide/skills/code-vuln-audit ~/.claude/skills/code-vuln-auditThis skill is a directory: SKILL.md is the entry point; the files below ship with it.
---
name: code-vuln-audit
description: "Scan code for security issues: dependency vulnerabilities (npm/pip audit), secret leaks (regex and entropy analysis), and OWASP anti-patterns like SQL injection, XSS, or command injection. Use when the user mentions security scans, vulnerability detection, secret leaks, API keys, OWASP, npm audit, pip-audit, hardcoded passwords, or code security checks."
license: MIT
---
# code-vuln-audit
A code security scanning tool with three core scanning capabilities:
1. **Dependency Vulnerability Scanning** — Automatically detects known vulnerabilities in npm / pip dependencies
2. **Secret Leak Detection** — Discovers hardcoded secrets, tokens, and passwords via regex matching + Shannon entropy analysis
3. **OWASP Pattern Detection** — Identifies common security anti-patterns such as SQL injection, XSS, command injection, and insecure deserialization
## Quick Start
```bash
# Scan the current directory (all checks)
python3 scripts/security_scan.py .
# Scan dependencies only
python3 scripts/security_scan.py --mode deps .
# Detect secret leaks only
python3 scripts/security_scan.py --mode secrets /path/to/project
# Detect OWASP security patterns only
python3 scripts/security_scan.py --mode owasp .
# Output report in JSON format
python3 scripts/security_scan.py --format json --output report.json .
# Only show findings at high severity and above
python3 scripts/security_scan.py --severity high .
```
## Scan Module Details
### 1. Dependency Vulnerability Scanning (deps)
Automatically detects the project type and invokes the appropriate tool:
| Project Type | Detection File | Tool Used |
|---|---|---|
| Node.js | `package.json` + `package-lock.json` | `npm audit` |
| Python | `requirements.txt` / `pyproject.toml` / `Pipfile` | `pip-audit` |
If the corresponding audit tool is not installed, a helpful message is displayed instead of an error.
### 2. Secret Leak Detection (secrets)
Detection is performed in two ways:
**Regex Matching**: Covers common secret formats
| Secret Type | Example Pattern |
|---|---|
| AWS Access Key | 20-character string starting with `AKIA` |
| GitHub Token | Starts with `ghp_` or `github_pat_` |
| Slack Token | Starts with `xoxb-` or `xoxp-` |
| Stripe Key | Starts with `sk_live_` or `pk_live_` |
| Private Key File | `-----BEGIN PRIVATE KEY-----` |
| Generic API Key | Format like `api_key = "..."` |
| Credentials in URL | `https://user:pass@host` |
| JWT Token | `eyJ...` format |
**Shannon Entropy Analysis**: Computes information entropy for string constants in code (threshold > 4.5 and length >= 20) to discover secrets in non-standard formats.
### 3. OWASP Pattern Detection (owasp)
Covers statically detectable security patterns from the OWASP Top 10:
| OWASP Category | Detection Patterns |
|---|---|
| A02: Cryptographic Failures | Weak hashes (MD5/SHA1), weak ciphers (DES/RC4) |
| A03: Injection | SQL injection, command injection (os.system / subprocess shell / eval / exec), XSS (innerHTML / document.write / dangerouslySetInnerHTML / v-html) |
| A04: Insecure Design | Path traversal |
| A05: Security Misconfiguration | Debug mode enabled, CORS wildcard, binding to 0.0.0.0 |
| A08: Integrity Failures | Insecure deserialization (pickle / yaml.load / marshal / unserialize) |
| A10: SSRF | User input passed directly to HTTP requests |
Supported languages: Python, JavaScript/TypeScript, Java, PHP, Ruby, Go, and more.
## Parameters
| Parameter | Description | Default |
|---|---|---|
| `TARGET` | Directory to scan | Current directory |
| `--mode MODE` | Scan mode: `all`, `deps`, `secrets`, `owasp` | `all` |
| `--format FORMAT` | Output format: `text`, `json` | `text` |
| `--output FILE` | Output file path | stdout |
| `--severity LEVEL` | Minimum reporting level: `low`, `medium`, `high`, `critical` | `low` |
| `--exclude-dir DIR` | Additional directories to exclude (repeatable) | - |
| `--max-file-kb SIZE` | Maximum file size to scan in KB | `512` |
| `-h, --help` | Show help | - |
## Output Format
### Text Output (default)
```
=== Security Scan Report ===
Target: /path/to/project
Modules: deps, secrets, owasp
[CRITICAL] AWS Access Key ID
File: src/config.py:15
Code: AWS_KEY = "AKIAIOSFODNN7EXAMPLE"
[HIGH] SQL Injection (f-string)
File: src/db.py:42
Code: cursor.execute(f"SELECT * FROM users WHERE id={user_id}")
--- Summary ---
Critical: 1 | High: 1 | Medium: 0 | Low: 0
Total findings: 2
```
### JSON Output
```json
{
"target": "/path/to/project",
"scan_time": "2026-04-14T10:30:00",
"findings": [
{
"scanner": "secrets",
"name": "AWS Access Key ID",
"severity": "critical",
"file": "src/config.py",
"line": 15,
"snippet": "AWS_KEY = \"AKIAIOSFODNN7EXAMPLE\"",
"category": "secret-pattern"
}
],
"summary": {"critical": 1, "high": 0, "medium": 0, "low": 0, "total": 1}
}
```
## Exit Codes
| Exit Code | Meaning |
|---|---|
| `0` | No findings |
| `1` | Findings present (at least one security issue) |
| `2` | Scanner internal error |
## Prerequisites
- Python 3.7+ (uses standard library only)
- Dependency scanning requires the corresponding tools: `npm` (for Node.js projects), `pip-audit` (for Python projects)
- If an audit tool is missing, that module will be skipped with a notice — other modules continue to run normally
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands.
Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys required.
Read-only EVM client: wallets, tokens, gas across 8 chains.