Security Scanner
OWASP Top 10 security scanner. Finds injection, XSS, broken auth, hardcoded secrets, vulnerable dependencies. Severity-ranked actionable report.
@atapifire/security-scanner
Security Scanner
Purpose: Scan a codebase for security vulnerabilities following OWASP Top 10 and common CVE patterns. Produces an actionable report with severity rankings.
Invocation
/security-scan [path] [--severity critical|high|medium|all]
Default: scan entire project, report all severities.
Vulnerability Categories
A01: Broken Access Control
- Missing auth middleware on protected routes
- Direct object reference without ownership check
- CORS misconfiguration (
Access-Control-Allow-Origin: *) - Missing CSRF tokens on state-changing operations
A02: Cryptographic Failures
- Hardcoded secrets, API keys, tokens in source
- Weak hashing (MD5, SHA1 for passwords)
- Missing HTTPS enforcement
- Sensitive data in URL parameters or logs
A03: Injection
- SQL injection via string interpolation
- NoSQL injection through unsanitized query objects
- OS command injection via
exec(),spawn()with user input - LDAP, XPath, or template injection
A04: Insecure Design
- Missing rate limiting on auth endpoints
- No account lockout after failed attempts
- Password reset tokens without expiry
- Predictable resource IDs
A05: Security Misconfiguration
- Debug mode enabled in production config
- Default credentials in configuration files
- Verbose error messages exposing stack traces
- Unnecessary HTTP methods enabled
A07: Cross-Site Scripting (XSS)
- Unescaped user input rendered as HTML
dangerouslySetInnerHTMLwithout sanitization- Event handler injection through user-controlled attributes
- SVG/XML injection
A08: Software and Data Integrity
- Dependencies with known CVEs (check package-lock.json)
- Missing integrity checks on CDN resources
- Unsigned or unverified updates
A09: Logging & Monitoring Failures
- Sensitive data in log output (passwords, tokens, PII)
- Missing audit logging for admin operations
- No rate limit logging
Scan Process
- File Discovery — Glob for source files (
.ts,.js,.py,.go,.rb,.java) - Pattern Matching — AST-aware scan for vulnerability patterns
- Dependency Audit — Check
package-lock.json/requirements.txtagainst advisory databases - Secret Detection — Regex scan for API keys, tokens, passwords
- Configuration Review — Check env files, Docker configs, CI/CD pipelines
Output Format
🔴 CRITICAL | A03:Injection | src/api/users.ts:42
SQL query built with string concatenation using user input.
Fix: Use parameterized query: db.query('SELECT * FROM users WHERE id = $1', [userId])
🟡 MEDIUM | A02:Crypto | .env.example:3
Example env file contains what appears to be a real API key.
Fix: Replace with placeholder value: API_KEY=your-api-key-here
Summary Report
| Category | Critical | High | Medium | Low |
|---|---|---|---|---|
| Injection | 1 | 0 | 0 | 0 |
| Access Control | 0 | 2 | 1 | 0 |
| Crypto | 0 | 0 | 1 | 2 |
| XSS | 0 | 1 | 0 | 0 |
| Total | 1 | 3 | 2 | 2 |
Playground
<!DOCTYPE html><html><head><meta charset='utf-8'><style>*{box-sizing:border-box;margin:0;padding:0}body{background:#0d1117;color:#e6edf3;font-family:monospace;font-size:12px;height:100vh;display:flex;flex-direction:column;overflow:hidden}.header{background:#161b22;border-bottom:1px solid #30363d;padding:8px 14px;font-size:11px;color:#8b949e;display:flex;justify-content:space-between;align-items:center;flex-shrink:0}.title{color:#58a6ff;font-weight:bold;font-size:13px}.panels{display:flex;flex:1;overflow:hidden}.panel{flex:1;overflow:auto;padding:12px;border-right:1px solid #30363d}.panel:last-child{border-right:none}.label{font-size:10px;color:#8b949e;text-transform:uppercase;letter-spacing:.08em;margin-bottom:6px}pre{white-space:pre-wrap;word-break:break-word;line-height:1.5}</style></head><body><div class='header'><span class='title'>Security Scanner</span><span>Example · SkillSlap</span></div><div class='panels'><div class='panel'><div class='label'>Input: Code snippet</div><pre><span style='color:#8b949e'>app.get('/user', (req, res) => {</span><span style='color:#8b949e'> const id = req.query.id</span>
<span style='color:#8b949e'> db.query(</span>
<span style='color:#8b949e'> SELECT * FROM users</span> <span style='color:#8b949e'> WHERE id = '${id}',</span>
<span style='color:#8b949e'> (err, rows) => res.json(rows)</span>
<span style='color:#8b949e'> )</span>
<span style='color:#8b949e'>})</span></pre></div><div class='panel'><div class='label'>Output: Findings</div><pre><span style='color:#f85149'>🔴 CRITICAL — SQL Injection (line 3)</span>
<span style='color:#8b949e'>User-controlled id interpolated</span>
<span style='color:#8b949e'>directly into SQL. CVSS 9.8 / CWE-89</span>
<span style='color:#f85149'>🔴 HIGH — Mass data exposure (line 5)</span>
<span style='color:#8b949e'>SELECT * leaks all columns including</span>
<span style='color:#8b949e'>password hashes, tokens, PII.</span>
<span style='color:#e3b341'>🟡 MEDIUM — No auth check (line 1)</span> <span style='color:#8b949e'>Route has no authentication middleware.</span> <span style='color:#8b949e'>Any caller can query arbitrary users.</span>
<span style='color:#8b949e'>Fix: parameterised query + auth guard</span></pre></div></div></body></html>
$20 more to next tier
Created by
Info
Embed
Add this skill card to any webpage.
<iframe src="https://skillslap.com/skill/de48a653-7bf6-4cfc-aefa-adc2135d4f78/embed"
width="400" height="200"
style="border:none;border-radius:12px;"
title="SkillSlap Skill: Security Scanner">
</iframe>