Security Auditor
Comprehensive security scanning for codebases. Identifies vulnerabilities before they become incidents. Focuses on actionable findings with remediation guidance.
When to Use
Use for:
- Pre-deployment security audits
- Dependency vulnerability scanning
- Secret/credential leak detection
- Code-level SAST (Static Application Security Testing)
- Security posture reports for stakeholders
- OWASP Top 10 compliance checking
- Pre-PR security reviews
Do NOT use for:
- Runtime security (WAF, rate limiting) - use infrastructure tools
- Network security/firewall rules - use cloud/DevOps skills
- SOC2/HIPAA/PCI compliance - requires legal/organizational process
- Penetration testing execution - this is detection, not exploitation
Quick Start
Full Security Audit
# Run comprehensive scan
./scripts/full-audit.sh /path/to/project
# Output: security-report.json + summary
Quick Checks
# Dependency vulnerabilities only
npm audit --json > deps-audit.json
# Secret detection only
./scripts/detect-secrets.sh /path/to/project
# OWASP check specific file
./scripts/owasp-check.py /path/to/file.js
Core Scanning Capabilities
1. Dependency Scanning
| Package Manager | Command | Severity Levels |
|-----------------|---------|-----------------|
| npm | npm audit --json | critical, high, moderate, low |
| yarn | yarn audit --json | same as npm |
| pip | pip-audit --format json | critical, high, medium, low |
| cargo | cargo audit --json | same |
Decision Tree:
Critical severity found?
├── YES → Block deployment, immediate fix required
│ └── Check if patch available → npm audit fix --force
├── NO → High severity?
├── YES → Fix within sprint, document if deferred
└── NO → Low/Moderate → Track, fix during maintenance
2. Secret Detection
High-Risk Patterns:
- API keys:
/[A-Za-z0-9_]{20,}/near "key", "api", "secret" - AWS credentials:
AKIA[0-9A-Z]{16} - Private keys:
-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY----- - JWT tokens:
eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+ - Connection strings:
://[^:]+:[^@]+@
Entropy Analysis:
- Shannon entropy > 4.5 on strings > 20 chars = suspicious
- Base64-encoded blobs in source = investigate
False Positive Handling:
Secret-like pattern found?
├── In test file? → Lower severity, document
├── In example/docs? → Check if placeholder
├── High entropy + near "password"/"secret" → High confidence
└── In .env.example? → Acceptable if placeholder values
3. OWASP Top 10 Static Analysis
| # | Vulnerability | Detection Pattern | |---|---------------|-------------------| | A01 | Broken Access Control | Missing auth checks on routes | | A02 | Cryptographic Failures | Weak algorithms (MD5, SHA1 for passwords) | | A03 | Injection | Unparameterized queries, eval(), innerHTML | | A04 | Insecure Design | Hardcoded credentials, missing rate limits | | A05 | Security Misconfiguration | Debug mode in prod, default credentials | | A06 | Vulnerable Components | Known CVEs in dependencies | | A07 | Auth Failures | Weak password policies, session issues | | A08 | Integrity Failures | Unsigned updates, untrusted deserialization | | A09 | Logging Failures | Sensitive data in logs, missing audit trails | | A10 | SSRF | Unvalidated URL inputs to fetch/request |
4. Language-Specific Checks
JavaScript/TypeScript:
eval(),new Function()- code injectioninnerHTML,outerHTML- XSS vectorsdocument.write()- DOM-based XSSchild_process.exec()with user input - command injection- Regex without timeout - ReDoS vulnerability
Python:
pickle.loads()with untrusted data - arbitrary code executionyaml.load()withoutLoader=SafeLoader- code injectionsubprocess.shell=True- command injectioneval(),exec()- code injection- SQL string concatenation - SQL injection
SQL:
- String concatenation in queries - SQL injection
LIKE '%' + input + '%'- injection via wildcards- Missing parameterization - critical vulnerability
Anti-Patterns
Anti-Pattern: Security by Obscurity
What it looks like: "Nobody will find this hardcoded password" Why wrong: Secrets in source always leak eventually Instead: Environment variables, secret managers, zero hardcoded secrets
Anti-Pattern: Audit Fatigue
What it looks like: 500 findings, all "medium", team ignores Why wrong: Critical issues buried in noise Instead: Prioritize by exploitability, start with critical/high only
Anti-Pattern: Fix Without Understanding
What it looks like: npm audit fix --force without review
Why wrong: May introduce breaking changes, doesn't address root cause
Instead: Review each fix, understand the vulnerability, test after
Anti-Pattern: One-Time Audit
What it looks like: "We did a security audit last year" Why wrong: New CVEs daily, code changes constantly Instead: CI/CD integration, weekly automated scans minimum
Security Report Format
{
"summary": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 12,
"informational": 8
},
"findings": [
{
"id": "SEC-001",
"severity": "high",
"category": "A03:Injection",
"title": "SQL Injection in user search",
"location": "src/api/users.js:45",
"description": "User input concatenated directly into SQL query",
"evidence": "const query = `SELECT * FROM users WHERE name = '${input}'`",
"remediation": "Use parameterized queries: db.query('SELECT * FROM users WHERE name = $1', [input])",
"references": ["https://owasp.org/www-community/attacks/SQL_Injection"]
}
],
"recommendations": [
"Implement parameterized queries across all database access",
"Add input validation layer",
"Enable SQL query logging for monitoring"
]
}
CI/CD Integration
GitHub Actions Example
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run security audit
run: |
npm audit --json > audit.json
./scripts/detect-secrets.sh . > secrets.json
./scripts/generate-report.py
- name: Fail on critical
run: |
if jq '.summary.critical > 0' report.json; then
echo "Critical vulnerabilities found!"
exit 1
fi
Scripts (in scripts/ folder)
| Script | Purpose |
|--------|---------|
| full-audit.sh | Comprehensive security scan |
| detect-secrets.sh | High-entropy string and pattern detection |
| owasp-check.py | OWASP Top 10 static analysis |
| generate-report.py | Combine findings into unified report |
Expert vs Novice Approach
| Novice | Expert | |--------|--------| | Runs audit once before release | CI/CD integration, every commit | | Focuses on tool output only | Understands vulnerability context | | Fixes everything or nothing | Triages by exploitability | | Uses one scanner | Layers multiple tools | | Ignores false positives | Tunes detection rules |
Success Metrics
| Metric | Target | |--------|--------| | Critical/High pre-production | 0 | | Mean time to remediate critical | < 24 hours | | False positive rate | < 10% | | Scan coverage | 100% of deployable code |
Reference Files
references/owasp-top-10-2024.md- Detailed OWASP guidancereferences/secret-patterns.md- Comprehensive regex patternsreferences/remediation-playbook.md- Fix guidance by vulnerability typereferences/ci-cd-templates.md- Integration examplesscripts/- Working security scanning scripts
Detects: Dependency CVEs | Secret leaks | Injection vulnerabilities | OWASP violations | Security misconfigurations
Use with: site-reliability-engineer (deployment gates) | code-review (PR security checks)