Agent-Skills.md

Agent Skills: Security Scan

Run security checks before PR including secrets, vulnerabilities, and best practices

UncategorizedID: IHKREDDY/agent-skills-ts/security-scan

Repository

IHKREDDY/agent-skills-ts
IHKREDDY

Install this agent skill to your local

pnpm dlx add-skill https://github.com/IHKREDDY/agent-skills-ts/tree/HEAD/skills/security-scan

Skill Files

Browse the full folder contents for security-scan.

Download Skill

Loading file tree…

skills/security-scan/SKILL.md

Skill Metadata

Name
security-scan
Description
Run security checks before PR including secrets, vulnerabilities, and best practices

Security Scan

Performs comprehensive security analysis before PR submission, checking for secrets, vulnerabilities, insecure patterns, and security best practices.

🎯 Use Case Demo

Scenario: Pre-PR Security Review

Before (Manual Process):

Developer ready to submit PR, tries to remember security checks:

  • "Did I accidentally commit any secrets?"
  • "Are my dependencies secure?"
  • "Is my input validation sufficient?"
  • Forgets to check, security issue found in review (or worse, production)

Time: Often skipped, caught late or never

After (With This Skill):

Developer: "Run security scan before I create PR"

Agent Response:

πŸ” SECURITY SCAN REPORT
═══════════════════════════════════════════════════════════════

πŸ“… Scan Date: December 20, 2024
πŸ“ Files Scanned: 12 changed files
πŸ” Branch: feature/payment-integration

═══════════════════════════════════════════════════════════════
πŸ“Š SCAN SUMMARY
═══════════════════════════════════════════════════════════════

| Category | Status | Issues |
|----------|--------|--------|
| Secrets Detection | πŸ”΄ FAIL | 2 found |
| Dependency Vulnerabilities | 🟑 WARN | 1 medium |
| Input Validation | πŸ”΄ FAIL | 3 missing |
| SQL Injection | βœ… PASS | 0 found |
| XSS Prevention | βœ… PASS | 0 found |
| Authentication | βœ… PASS | Properly secured |
| Logging Security | 🟑 WARN | PII in logs |

Overall: πŸ”΄ BLOCKED - Fix critical issues before PR

═══════════════════════════════════════════════════════════════
🚨 CRITICAL: SECRETS DETECTED
═══════════════════════════════════════════════════════════════

β›” MUST FIX BEFORE PR - These will block your commit

1. API Key Detected
   πŸ“ Services/PaymentService.cs:34
   ```csharp
   private const string StripeKey = "sk_live_XXXXXXXXXXXXXXXXXXXX";

πŸ”§ Fix: Move to environment variable or secrets manager

private readonly string _stripeKey = Environment.GetEnvironmentVariable("STRIPE_API_KEY");
  1. Connection String with Password πŸ“ appsettings.json:12 
    "ConnectionString": "Server=db.prod.com;Password=SuperSecret123!"
    πŸ”§ Fix: Use Azure Key Vault or environment variables

═══════════════════════════════════════════════════════════════ πŸ”΄ INPUT VALIDATION MISSING ═══════════════════════════════════════════════════════════════

  1. Missing Validation: CreateBooking endpoint πŸ“ Controllers/BookingsController.cs:45

    public async Task<IActionResult> Create([FromBody] BookingRequest request)
{
    // No validation before processing
    await _service.CreateBooking(request);

    πŸ”§ Fix: Add FluentValidation or DataAnnotations

    public async Task<IActionResult> Create([FromBody] BookingRequest request)
{
    if (!ModelState.IsValid)
        return BadRequest(ModelState);

  2. Email Not Validated πŸ“ Models/BookingRequest.cs:15

    public string Email { get; set; }  // No validation

    πŸ”§ Fix: Add email validation attribute

    [Required]
[EmailAddress]
public string Email { get; set; }

  3. Numeric Range Not Checked πŸ“ Models/SearchRequest.cs:8

    public int Passengers { get; set; }  // Could be negative or huge

    πŸ”§ Fix: Add range validation

    [Range(1, 9)]
public int Passengers { get; set; }

═══════════════════════════════════════════════════════════════ 🟑 WARNINGS (Recommended Fixes) ═══════════════════════════════════════════════════════════════

  1. Dependency Vulnerability πŸ“¦ System.Text.Json 7.0.2 CVE: CVE-2024-1234 (Medium severity) Fix: Upgrade to 7.0.4

    dotnet add package System.Text.Json --version 7.0.4

  2. PII in Logs πŸ“ Services/BookingService.cs:89

    _logger.LogInformation($"Booking created for {request.Email}");

    πŸ”§ Fix: Mask or remove PII from logs

    _logger.LogInformation($"Booking created for {MaskEmail(request.Email)}");

═══════════════════════════════════════════════════════════════ βœ… PASSED CHECKS ═══════════════════════════════════════════════════════════════

βœ… No SQL injection vulnerabilities

  • All queries use parameterized statements
  • Entity Framework properly configured

βœ… No XSS vulnerabilities

  • Output encoding in place
  • Content-Security-Policy configured

βœ… Authentication properly implemented

  • JWT validation configured
  • Endpoints have [Authorize] attributes

βœ… HTTPS enforced

  • UseHttpsRedirection() in place
  • HSTS configured

═══════════════════════════════════════════════════════════════ πŸ“‹ ACTION REQUIRED ═══════════════════════════════════════════════════════════════

Before creating PR, you must:

β–‘ Remove hardcoded secrets (2 issues) β–‘ Add input validation (3 issues)

Recommended (not blocking): β–‘ Update vulnerable dependency β–‘ Remove PII from logs

Run "Apply security fixes" to auto-fix where possible.

═══════════════════════════════════════════════════════════════

Result: Potential security breach prevented before code even reaches review

Agent Instructions

When this skill is activated:

  1. Secrets Detection:

    • Scan for API keys, tokens, passwords
    • Check for patterns: sk_live_, api_key, password=
    • Look in: source files, config files, .env files
    • Check git history for accidentally committed secrets

  2. Dependency Vulnerabilities:

    • Run dotnet list package --vulnerable
    • Check npm audit for Node.js
    • Cross-reference with CVE databases

  3. Input Validation:

    • Check all API endpoints for validation
    • Verify model attributes (Required, Range, etc.)
    • Look for raw string inputs without sanitization

  4. SQL Injection:

    • Look for string concatenation in queries
    • Verify parameterized queries usage
    • Check raw SQL execution

  5. XSS Prevention:

    • Check output encoding
    • Verify CSP headers
    • Look for @Html.Raw() usage

  6. Authentication/Authorization:

    • Verify [Authorize] attributes on endpoints
    • Check JWT configuration
    • Look for authorization bypass patterns

  7. Logging Security:

    • Check for PII in log statements
    • Verify sensitive data not logged

  8. Generate Report:

    • Categorize by severity
    • Provide specific fix recommendations
    • Block PR if critical issues found

Example Prompts

  • "Run security scan before PR"
  • "Check for security vulnerabilities"
  • "Are there any hardcoded secrets?"
  • "Scan my changes for security issues"
  • "Pre-commit security check"

Checks Performed

| Check | Description | Severity | |-------|-------------|----------| | Secrets | API keys, passwords, tokens | πŸ”΄ Critical | | SQL Injection | Unsanitized queries | πŸ”΄ Critical | | Input Validation | Missing or weak validation | πŸ”΄ High | | Dependencies | Known CVEs | 🟑 Medium | | XSS | Cross-site scripting | πŸ”΄ High | | PII Logging | Personal data in logs | 🟑 Medium | | Auth Bypass | Missing authorization | πŸ”΄ Critical |

Benefits

| Metric | Before | After | Improvement | |--------|--------|-------|-------------| | Security issues caught | In production | Before PR | 100% earlier | | Time to detect secrets | Days/weeks | Seconds | Immediate | | Developer security knowledge | Variable | Guided | Learning tool | | Security review time | Hours | Minutes | 90% faster |