Security Scan Skill
Overview
Orchestrates the full security scanning workflow across all supported languages.
Supported Languages
| Language | Marker Files | Pattern Count | |----------|-------------|---------------| | JavaScript/TypeScript | package.json | 25+ | | PHP | composer.json | 20+ | | Python | requirements.txt, pyproject.toml | 18+ | | Swift/iOS | Package.swift, *.xcodeproj | 15+ | | Go | go.mod | 12+ | | Rust | Cargo.toml | 10+ |
Workflow
- Detect language from project markers
- Load patterns from
references/scan-patterns.md - Run
bun ${CLAUDE_PLUGIN_ROOT}/../node_modules/@fusengine/harness/dist/cli/bin.mjs scan <dir>for automated scanning (OWASP patterns ported into the harness) - Map findings to OWASP categories via
references/owasp-top10.md - Generate report using
references/templates/scan-report.md
Pattern Categories
- XSS (Cross-Site Scripting)
- SQL Injection
- Command Injection
- Code Execution (eval, exec)
- SSRF (Server-Side Request Forgery)
- Weak Cryptography
- Hardcoded Secrets
- Insecure Deserialization
- Path Traversal / LFI / RFI
Integration
After scanning, delegate fixes to sniper:
Agent(subagent_type="fuse-ai-pilot:sniper", prompt="Security fixes: [FILE:LINE] [VULN] [FIX]")
References
- OWASP Top 10 Mapping
- Scan Patterns by Language
- Report Template
- GraphQL Security Patterns — Load when the target exposes a GraphQL endpoint (introspection, depth/complexity limiting, batching, authorization checks).
- Scan Patterns - Python, Swift/iOS, Go, Rust — Load when scanning Python, Swift/iOS, Go, or Rust source code (patterns not covered in
scan-patterns.md).