Skip to main content

/security-scan Command

Execute comprehensive security scanning across the codebase including static analysis, dependency auditing, secrets detection, and configuration review.

System Prompt

⚠️ EXECUTION DIRECTIVE: When the user invokes this command, you MUST:

  1. IMMEDIATELY execute - no questions, no explanations first
  2. ALWAYS show full output from script/tool execution
  3. ALWAYS provide summary after execution completes

DO NOT:

  • Say "I don't need to take action" - you ALWAYS execute when invoked
  • Ask for confirmation unless requires_confirmation: true in frontmatter
  • Skip execution even if it seems redundant - run it anyway

The user invoking the command IS the confirmation.

Usage

/security-scan [options]

Options:
  --scope <path>      Path to scan (default: current directory)
  --type <types>      Scan types: sast,deps,secrets,config (default: all)
  --severity <level>  Minimum severity: critical,high,medium,low (default: medium)
  --output <format>   Output format: terminal,json,sarif,markdown (default: terminal)
  --fix               Attempt to auto-fix issues where possible
  --ci                CI-friendly output with exit codes

Scan Types

SAST (Static Application Security Testing)

/security-scan --type sast

# Languages supported:
# - Python: Bandit, Semgrep
# - JavaScript/TypeScript: ESLint-plugin-security, Semgrep
# - Rust: cargo-audit, clippy (security lints)
# - Go: gosec

Dependency Vulnerability Scan

/security-scan --type deps

# Package managers:
# - npm/yarn: npm audit
# - pip: pip-audit, safety
# - cargo: cargo-audit
# - go: govulncheck

Secrets Detection

/security-scan --type secrets

# Detects:
# - API keys (AWS, GCP, Azure, Stripe, etc.)
# - Tokens (JWT, OAuth, personal access tokens)
# - Passwords and credentials
# - Private keys and certificates

Security Configuration

/security-scan --type config

# Checks:
# - Dockerfile security (no root, minimal base)
# - Kubernetes manifests (resource limits, security context)
# - Terraform security (encryption, access controls)
# - CI/CD security (secrets handling, permissions)

Examples

Full Security Audit

# Comprehensive scan with all checks
/security-scan --scope . --severity low --output markdown

# CI pipeline scan (fails on high+ severity)
/security-scan --ci --severity high

Targeted Scans

# SAST only on source directory
/security-scan --type sast --scope src/

# Secrets scan on entire repo
/security-scan --type secrets --scope .

# Dependency scan with JSON output
/security-scan --type deps --output json > security-report.json

Pre-Commit Integration

# Quick scan before commit
/security-scan --type secrets,sast --scope $(git diff --cached --name-only)

Output Format

Terminal Output

Security Scan Results
=====================

CRITICAL: 2 | HIGH: 5 | MEDIUM: 12 | LOW: 8

[CRITICAL] Hardcoded AWS credentials
  File: src/config.py:45
  Rule: secrets/aws-access-key
  Fix: Move to environment variables or secrets manager

[HIGH] SQL Injection vulnerability
  File: src/api/users.py:78
  Rule: python/sql-injection
  Fix: Use parameterized queries

SARIF Output (GitHub Integration)

/security-scan --output sarif > results.sarif

# Upload to GitHub Security tab
gh api repos/{owner}/{repo}/code-scanning/sarifs \
  --field sarif=@results.sarif

Remediation Workflow

  1. Run full scan: /security-scan --output markdown > SECURITY-REPORT.md
  2. Review findings by severity
  3. Create tickets for critical/high issues
  4. Apply fixes with: /security-scan --fix
  5. Re-scan to verify fixes
  6. Add to CI pipeline for continuous monitoring

Integration

GitHub Actions

- name: Security Scan
  run: |
    /security-scan --ci --severity high --output sarif > results.sarif
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Pre-Commit Hook

# .pre-commit-config.yaml
- repo: local
  hooks:
    - id: security-scan
      name: Security scan
      entry: /security-scan --type secrets --ci
      language: system
      pass_filenames: false
  • security-audit-skill - Detailed OWASP Top 10 patterns
  • secrets-detection-skill - Advanced secrets detection
  • penetration-testing-agent - Manual security testing
  • /dependency-audit - Focused dependency scanning

Success Output

When security scan completes:

✅ COMMAND COMPLETE: /security-scan
Scope: <path>
Findings: Critical: X, High: Y, Medium: Z
Secrets: <clean|N detected>
Deps: M vulnerabilities
Status: <passed|failed>

Completion Checklist

Before marking complete:

  • All scan types executed
  • Findings categorized by severity
  • Secrets detection run
  • Dependency audit complete
  • Report generated

Failure Indicators

This command has FAILED if:

  • ❌ Scope path not found
  • ❌ Scanner tool unavailable
  • ❌ Critical secrets in codebase
  • ❌ No report generated

When NOT to Use

Do NOT use when:

  • No code to scan
  • Need penetration testing (use agent)
  • Single file review (use /analyze)

Anti-Patterns (Avoid)

Anti-PatternProblemSolution
Skip secrets scanLeak credentialsAlways include secrets
Ignore low severityTechnical debtReview all findings
No CI integrationContinuous riskAdd to pipeline

Principles

This command embodies:

  • #3 Complete Execution - All scan types
  • #9 Based on Facts - Tool-based findings
  • #4 Separation of Concerns - Categorized results

Full Standard: CODITECT-STANDARD-AUTOMATION.md