Security Scanning Patterns Skill
Security Scanning Patterns Skill
When to Use This Skill
Use this skill when implementing security scanning patterns patterns in your codebase.
How to Use This Skill
- Review the patterns and examples below
- Apply the relevant patterns to your implementation
- Follow the best practices outlined in this skill
Automated security scanning with SAST, DAST, container scanning, IaC validation, and secrets detection integrated into CI/CD.
Core Capabilities
- SAST - Static code analysis for security vulnerabilities
- DAST - Runtime security testing
- Container Scanning - Docker image vulnerability detection
- IaC Scanning - Terraform/CloudFormation security validation
- Secrets Detection - Exposed credentials identification
Multi-Tool Security Scanning Pipeline
# .github/workflows/security-scan.yml
name: Security Scanning
on:
push:
branches: [main, develop]
pull_request:
schedule:
- cron: '0 0 * * 0' # Weekly scan
jobs:
sast-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Semgrep SAST
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
- name: CodeQL Analysis
uses: github/codeql-action/analyze@v2
container-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t myapp:${{ github.sha }} .
- name: Trivy scan
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: 'sarif'
severity: 'CRITICAL,HIGH'
secrets-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Gitleaks scan
uses: gitleaks/gitleaks-action@v2
Python Security Scanner
#!/usr/bin/env python3
"""Automated security scanning orchestrator."""
import subprocess
import json
from pathlib import Path
class SecurityScanner:
def __init__(self, project_path: Path):
self.project_path = project_path
self.results = {'scanners': {}}
def run_all_scans(self):
"""Execute all security scans."""
self.scan_dependencies()
self.scan_code()
self.scan_secrets()
self.scan_containers()
return self.results
def scan_dependencies(self):
"""Scan dependencies for vulnerabilities."""
if (self.project_path / "package.json").exists():
result = subprocess.run(
['npm', 'audit', '--json'],
capture_output=True,
text=True,
cwd=self.project_path
)
self.results['scanners']['npm_audit'] = json.loads(result.stdout)
def scan_code(self):
"""SAST code scanning."""
result = subprocess.run(
['semgrep', '--config=auto', '--json', '.'],
capture_output=True,
text=True,
cwd=self.project_path
)
if result.stdout:
self.results['scanners']['semgrep'] = json.loads(result.stdout)
def scan_secrets(self):
"""Secret detection."""
result = subprocess.run(
['gitleaks', 'detect', '--no-git', '--report-format=json'],
capture_output=True,
text=True,
cwd=self.project_path
)
if result.stdout:
self.results['scanners']['gitleaks'] = json.loads(result.stdout)
def scan_containers(self):
"""Container image scanning."""
dockerfiles = list(self.project_path.glob('**/Dockerfile'))
if dockerfiles:
result = subprocess.run(
['trivy', 'config', '.'],
capture_output=True,
text=True,
cwd=self.project_path
)
self.results['scanners']['trivy'] = result.stdout
if __name__ == '__main__':
scanner = SecurityScanner(Path.cwd())
results = scanner.run_all_scans()
print(json.dumps(results, indent=2))
Usage Examples
CI/CD Security Scanning
Apply security-scanning-patterns skill to setup GitHub Actions workflow with SAST, container scanning, and secrets detection
Automated Vulnerability Reporting
Apply security-scanning-patterns skill to implement multi-tool security scanning with consolidated reporting
Tool Requirements
Required tools must be installed before using this skill:
| Tool | Purpose | Install Command | Min Version |
|---|---|---|---|
| Trivy | Container/IaC scanning | brew install trivy or apt install trivy | v0.45+ |
| Semgrep | SAST code scanning | pip install semgrep | v1.0+ |
| Gitleaks | Secrets detection | brew install gitleaks | v8.0+ |
| Snyk | Dependency scanning | npm install -g snyk | v1.1000+ |
Optional tools (enhanced scanning):
| Tool | Purpose | Install Command |
|---|---|---|
| OWASP ZAP | DAST scanning | brew install --cask owasp-zap |
| CodeQL | Deep SAST | GitHub Actions (pre-installed) |
| Checkov | IaC scanning | pip install checkov |
| Grype | SBOM vulnerabilities | brew install grype |
Verification script:
#!/bin/bash
# scripts/verify-security-tools.sh
echo "Checking security scanning tools..."
check_tool() {
if command -v "$1" &> /dev/null; then
echo "✅ $1: $(command -v $1)"
else
echo "❌ $1: NOT FOUND"
return 1
fi
}
MISSING=0
check_tool trivy || MISSING=$((MISSING+1))
check_tool semgrep || MISSING=$((MISSING+1))
check_tool gitleaks || MISSING=$((MISSING+1))
check_tool snyk || MISSING=$((MISSING+1))
if [ $MISSING -gt 0 ]; then
echo ""
echo "⚠️ $MISSING required tool(s) missing. Install before proceeding."
exit 1
fi
echo ""
echo "✅ All required security scanning tools installed."
CI/CD environment requirements:
- GitHub Actions: Use official actions (aquasecurity/trivy-action, gitleaks/gitleaks-action)
- GitLab CI: Install tools in before_script or use container images
- Docker: Use
aquasec/trivy,zricethezav/gitleaksimages
Integration Points
- security-audit-patterns - Security auditing
- cicd-pipeline-design - CI/CD integration
- compliance-validation - Compliance reporting
Success Output
When this skill is successfully applied, output:
✅ SKILL COMPLETE: security-scanning-patterns
Completed:
- [x] Multi-tool scanning pipeline configured
- [x] SAST scanner integrated (Semgrep/CodeQL)
- [x] Container scanning active (Trivy)
- [x] Secrets detection enabled (Gitleaks)
- [x] IaC scanning configured (Trivy config scan)
- [x] Consolidated security report generated
Outputs:
- .github/workflows/security-scan.yml (CI/CD pipeline)
- scripts/security_scanner.py (orchestration script)
- security-reports/scan-results.json (consolidated findings)
- Vulnerabilities detected: SAST: X, Container: Y, Secrets: Z
Completion Checklist
Before marking this skill as complete, verify:
- All scanners execute successfully in CI/CD
- SARIF results uploaded to GitHub Security
- Secrets scanner tested with known test secrets
- Container scan detects vulnerabilities in test image
- IaC scan validates Terraform/K8s configs
- Consolidated report aggregates all scanner findings
- CI/CD fails on critical/high severity findings
- Scanning runs on schedule (daily/weekly)
- False positives suppressed appropriately
- Documentation updated with scanning workflow
Failure Indicators
This skill has FAILED if:
- ❌ Scanner missing from CI/CD environment
- ❌ SAST not detecting known code vulnerabilities
- ❌ Secrets scanner missing exposed API keys
- ❌ Container scan shows 0 vulnerabilities on outdated image
- ❌ CI/CD pipeline passes despite critical findings
- ❌ SARIF upload fails to GitHub Security
- ❌ Consolidated report missing scanner output
- ❌ Scanners not running on pull requests
- ❌ No severity thresholds configured
- ❌ Python orchestration script crashes on execution
When NOT to Use
Do NOT use this skill when:
- Single security concern (use specialized skill instead):
- Only code vulnerabilities → use SAST-specific skill
- Only container security → use container-scanning skill
- Only secrets → use secrets-detection skill
- Offline/air-gapped environment (no scanner access)
- Proof-of-concept with no security requirements
- Resource-constrained CI/CD (multiple scanners too slow)
- Legacy system with no remediation budget
- Real-time scanning needed (use runtime protection instead)
Use alternatives:
- sast-patterns - Code-only analysis
- container-security-patterns - Container-focused scanning
- secrets-management - Secrets detection and rotation
- runtime-application-security - Production runtime protection
Anti-Patterns (Avoid)
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Tool redundancy | Multiple tools scan same thing | Consolidate to one tool per category (SAST, container, secrets) |
| No result aggregation | Scattered findings, no overview | Use consolidation script to merge results |
| Ignoring exit codes | Build passes despite failures | Check scanner exit codes, fail pipeline on critical |
| Missing suppressions | False positives block development | Maintain suppression files (.semgrepignore, .trivyignore) |
| Scanning everything always | Slow CI/CD, wasted resources | Scan incrementally (changed files only) for PRs |
| No scheduled scans | New CVEs missed between commits | Run full scans daily/weekly on schedule |
| Secrets in scanner config | Ironic security failure | Use environment variables or secret manager |
| No baseline metrics | Can't track improvement | Record initial scan results as baseline |
| Results not actionable | Findings without remediation | Include fix suggestions in consolidated report |
Principles
This skill embodies CODITECT core principles:
#1 Recycle → Extend → Re-Use → Create
- Reuse existing GitHub Actions from marketplace
- Extend scanner configs with custom rules
- Build upon proven scanner tools (Semgrep, Trivy, Gitleaks)
#4 Shift Left on Security
- Integrate scanning early in development (pre-commit, PR)
- Prevent vulnerabilities from reaching production
- Automated detection at commit time
#5 Eliminate Ambiguity
- SARIF format standardizes findings across tools
- Severity levels clearly defined (CRITICAL/HIGH/MEDIUM/LOW)
- Consolidated report shows full security posture
#6 Clear, Understandable, Explainable
- GitHub Security tab visualizes findings
- Python orchestration script readable and modular
- Each scanner's role clearly documented
#8 No Assumptions
- Verify scanner installation before execution
- Test with known vulnerabilities to validate detection
- Check SARIF upload success
#9 Evidence-Based Decisions
- Scanner tools based on industry standards (OWASP, CWE, CVE)
- Severity thresholds align with security best practices
- Multiple scanners provide cross-validation
Full Standard: CODITECT-STANDARD-AUTOMATION.md