# Security Scanner > **Purpose:** Scan a codebase for security vulnerabilities following OWASP Top 10 and common CVE patterns. Produces an actionable report with severity rankings. --- ## Invocation ``` /security-scan [path] [--severity critical|high|medium|all] ``` Default: scan entire project, report all severities. --- ## Vulnerability Categories ### A01: Broken Access Control - Missing auth middleware on protected routes - Direct object reference without ownership check - CORS misconfiguration (`Access-Control-Allow-Origin: *`) - Missing CSRF tokens on state-changing operations ### A02: Cryptographic Failures - Hardcoded secrets, API keys, tokens in source - Weak hashing (MD5, SHA1 for passwords) - Missing HTTPS enforcement - Sensitive data in URL parameters or logs ### A03: Injection - SQL injection via string interpolation - NoSQL injection through unsanitized query objects - OS command injection via `exec()`, `spawn()` with user input - LDAP, XPath, or template injection ### A04: Insecure Design - Missing rate limiting on auth endpoints - No account lockout after failed attempts - Password reset tokens without expiry - Predictable resource IDs ### A05: Security Misconfiguration - Debug mode enabled in production config - Default credentials in configuration files - Verbose error messages exposing stack traces - Unnecessary HTTP methods enabled ### A07: Cross-Site Scripting (XSS) - Unescaped user input rendered as HTML - `dangerouslySetInnerHTML` without sanitization - Event handler injection through user-controlled attributes - SVG/XML injection ### A08: Software and Data Integrity - Dependencies with known CVEs (check package-lock.json) - Missing integrity checks on CDN resources - Unsigned or unverified updates ### A09: Logging & Monitoring Failures - Sensitive data in log output (passwords, tokens, PII) - Missing audit logging for admin operations - No rate limit logging --- ## Scan Process 1. **File Discovery** — Glob for source files (`.ts`, `.js`, `.py`, `.go`, `.rb`, `.java`) 2. **Pattern Matching** — AST-aware scan for vulnerability patterns 3. **Dependency Audit** — Check `package-lock.json` / `requirements.txt` against advisory databases 4. **Secret Detection** — Regex scan for API keys, tokens, passwords 5. **Configuration Review** — Check env files, Docker configs, CI/CD pipelines --- ## Output Format ``` 🔴 CRITICAL | A03:Injection | src/api/users.ts:42 SQL query built with string concatenation using user input. Fix: Use parameterized query: db.query('SELECT * FROM users WHERE id = $1', [userId]) 🟡 MEDIUM | A02:Crypto | .env.example:3 Example env file contains what appears to be a real API key. Fix: Replace with placeholder value: API_KEY=your-api-key-here ``` --- ## Summary Report | Category | Critical | High | Medium | Low | |----------|----------|------|--------|-----| | Injection | 1 | 0 | 0 | 0 | | Access Control | 0 | 2 | 1 | 0 | | Crypto | 0 | 0 | 1 | 2 | | XSS | 0 | 1 | 0 | 0 | | **Total** | **1** | **3** | **2** | **2** | ## Playground
Security ScannerExample · SkillSlap
Input: Code snippet
app.get('/user', (req, res) => {
  const id = req.query.id
  db.query(
    `SELECT * FROM users
     WHERE id = '${id}'`,
    (err, rows) => res.json(rows)
  )
})
Output: Findings
🔴 CRITICAL — SQL Injection (line 3)
User-controlled `id` interpolated
directly into SQL. CVSS 9.8 / CWE-89

🔴 HIGH — Mass data exposure (line 5)
`SELECT *` leaks all columns including
password hashes, tokens, PII.

🟡 MEDIUM — No auth check (line 1)
Route has no authentication middleware.
Any caller can query arbitrary users.

Fix: parameterised query + auth guard