Agent Skills Framework Extension (Optional)
Vulnerability Assessment Skill
When to Use This Skill
Use this skill when implementing vulnerability assessment patterns in your codebase.
How to Use This Skill
- Review the patterns and examples below
- Apply the relevant patterns to your implementation
- Follow the best practices outlined in this skill
Security auditing, penetration testing, and automated vulnerability scanning with remediation guidance.
Core Capabilities
- SAST - Static application security testing
- DAST - Dynamic application security testing
- Dependency Scanning - Third-party vulnerability detection
- Container Scanning - Image vulnerability analysis
- Threat Modeling - Risk identification and classification
SAST Configuration (Semgrep)
# .semgrep.yml
rules:
- id: hardcoded-secret
patterns:
- pattern-either:
- pattern: password = "..."
- pattern: api_key = "..."
- pattern: secret = "..."
- pattern: token = "..."
message: "Hardcoded secret detected"
languages: [python, javascript, typescript]
severity: ERROR
metadata:
category: security
cwe: "CWE-798"
owasp: "A3:2017 Sensitive Data Exposure"
- id: sql-injection
patterns:
- pattern-either:
- pattern: |
cursor.execute($QUERY % ...)
- pattern: |
cursor.execute($QUERY.format(...))
- pattern: |
cursor.execute(f"...")
message: "Potential SQL injection vulnerability"
languages: [python]
severity: ERROR
metadata:
cwe: "CWE-89"
owasp: "A1:2017 Injection"
- id: xss-vulnerability
patterns:
- pattern-either:
- pattern: |
innerHTML = $USER_INPUT
- pattern: |
dangerouslySetInnerHTML={{__html: $USER_INPUT}}
message: "Potential XSS vulnerability"
languages: [javascript, typescript]
severity: ERROR
metadata:
cwe: "CWE-79"
owasp: "A7:2017 XSS"
- id: insecure-crypto
patterns:
- pattern-either:
- pattern: crypto.createHash("md5")
- pattern: crypto.createHash("sha1")
- pattern: hashlib.md5(...)
- pattern: hashlib.sha1(...)
message: "Use of weak cryptographic algorithm"
languages: [python, javascript, typescript]
severity: WARNING
metadata:
cwe: "CWE-327"
Dependency Scanning Pipeline
# .github/workflows/security-scan.yml
name: Security Scanning
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 0 * * *' # Daily scan
jobs:
sast:
name: Static Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: .semgrep.yml
generateSarif: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Node.js dependencies
- name: Run npm audit
run: npm audit --json > npm-audit.json || true
- name: Run Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# Python dependencies
- name: Run safety check
run: |
pip install safety
safety check -r requirements.txt --json > safety-report.json || true
# Rust dependencies
- name: Run cargo audit
run: |
cargo install cargo-audit
cargo audit --json > cargo-audit.json || true
container-scan:
name: Container Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t app:scan .
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: 'app:scan'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
dast:
name: Dynamic Analysis
runs-on: ubuntu-latest
if: github.event_name == 'schedule'
steps:
- uses: actions/checkout@v4
- name: Start application
run: docker-compose up -d
- name: Wait for application
run: |
timeout 60 bash -c 'until curl -s http://localhost:8080/health; do sleep 2; done'
- name: Run OWASP ZAP
uses: zaproxy/action-full-scan@v0.7.0
with:
target: 'http://localhost:8080'
rules_file_name: '.zap-rules.tsv'
cmd_options: '-a'
- name: Stop application
run: docker-compose down
Container Scanning (Trivy)
# trivy.yaml
severity:
- CRITICAL
- HIGH
vulnerability:
type:
- os
- library
ignore-unfixed: true
ignorefile: .trivyignore
format: table
exit-code: 1
# Custom policy
policy:
- policy/custom-checks.rego
#!/bin/bash
# scripts/scan-container.sh
set -euo pipefail
IMAGE="${1:-app:latest}"
OUTPUT_DIR="${2:-security-reports}"
mkdir -p "$OUTPUT_DIR"
echo "Scanning container image: $IMAGE"
# Vulnerability scan
trivy image \
--severity CRITICAL,HIGH \
--format json \
--output "$OUTPUT_DIR/trivy-vulns.json" \
"$IMAGE"
# Secret scan
trivy image \
--scanners secret \
--format json \
--output "$OUTPUT_DIR/trivy-secrets.json" \
"$IMAGE"
# Config scan
trivy image \
--scanners config \
--format json \
--output "$OUTPUT_DIR/trivy-config.json" \
"$IMAGE"
# Generate summary
jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities[] | [.VulnerabilityID, .Severity, .PkgName, .Title] | @tsv' \
"$OUTPUT_DIR/trivy-vulns.json" > "$OUTPUT_DIR/vulnerability-summary.tsv"
CRITICAL_COUNT=$(jq '[.Results[].Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' "$OUTPUT_DIR/trivy-vulns.json")
HIGH_COUNT=$(jq '[.Results[].Vulnerabilities[]? | select(.Severity == "HIGH")] | length' "$OUTPUT_DIR/trivy-vulns.json")
echo "Summary: $CRITICAL_COUNT critical, $HIGH_COUNT high vulnerabilities"
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "::error::Critical vulnerabilities found"
exit 1
fi
Threat Modeling Template
# Threat Model: [System Name]
## 1. System Overview
### Description
[Brief description of the system]
### Data Flow Diagram
[Include DFD or reference to diagram]
### Trust Boundaries
- External users → API Gateway
- API Gateway → Backend services
- Backend services → Database
## 2. Assets
| Asset | Sensitivity | Location |
|-------|-------------|----------|
| User credentials | Critical | Database |
| Session tokens | High | Redis |
| User PII | High | Database |
| API keys | Critical | Secret Manager |
## 3. Threats (STRIDE)
### Spoofing
| Threat | Risk | Mitigation |
|--------|------|------------|
| Credential theft | High | MFA, secure password policy |
| Session hijacking | High | Secure cookies, token rotation |
### Tampering
| Threat | Risk | Mitigation |
|--------|------|------------|
| Request modification | Medium | HTTPS, request signing |
| Database tampering | High | RLS, audit logging |
### Repudiation
| Threat | Risk | Mitigation |
|--------|------|------------|
| Deny actions | Medium | Audit logging, timestamps |
### Information Disclosure
| Threat | Risk | Mitigation |
|--------|------|------------|
| Data breach | Critical | Encryption at rest/transit |
| API enumeration | Medium | Rate limiting, error handling |
### Denial of Service
| Threat | Risk | Mitigation |
|--------|------|------------|
| DDoS attack | High | CDN, rate limiting |
| Resource exhaustion | Medium | Quotas, circuit breakers |
### Elevation of Privilege
| Threat | Risk | Mitigation |
|--------|------|------------|
| IDOR | High | Authorization checks |
| SQL injection | Critical | Parameterized queries |
## 4. Risk Matrix
| Threat | Likelihood | Impact | Risk Level | Priority |
|--------|------------|--------|------------|----------|
| SQL Injection | Low | Critical | High | P0 |
| Session Hijacking | Medium | High | High | P0 |
| DDoS | High | Medium | Medium | P1 |
## 5. Mitigations
### Implemented
- [x] TLS 1.3 for all connections
- [x] JWT with short expiry
- [x] Rate limiting per tenant
### Planned
- [ ] WAF implementation
- [ ] Anomaly detection
- [ ] Penetration testing
Security Report Generator
#!/usr/bin/env python3
# scripts/generate-security-report.py
import json
import sys
from datetime import datetime
from pathlib import Path
def generate_report(scan_results_dir: Path) -> dict:
"""Generate consolidated security report from scan results."""
report = {
"generated_at": datetime.utcnow().isoformat(),
"summary": {
"total_vulnerabilities": 0,
"critical": 0,
"high": 0,
"medium": 0,
"low": 0,
},
"findings": [],
"recommendations": [],
}
# Process Trivy results
trivy_path = scan_results_dir / "trivy-vulns.json"
if trivy_path.exists():
with open(trivy_path) as f:
trivy_data = json.load(f)
for result in trivy_data.get("Results", []):
for vuln in result.get("Vulnerabilities", []):
severity = vuln.get("Severity", "UNKNOWN")
report["summary"]["total_vulnerabilities"] += 1
report["summary"][severity.lower()] = report["summary"].get(severity.lower(), 0) + 1
report["findings"].append({
"source": "trivy",
"type": "container_vulnerability",
"severity": severity,
"id": vuln.get("VulnerabilityID"),
"package": vuln.get("PkgName"),
"installed_version": vuln.get("InstalledVersion"),
"fixed_version": vuln.get("FixedVersion"),
"title": vuln.get("Title"),
"description": vuln.get("Description"),
"cvss": vuln.get("CVSS", {}).get("nvd", {}).get("V3Score"),
})
# Process Semgrep results
semgrep_path = scan_results_dir / "semgrep.sarif"
if semgrep_path.exists():
with open(semgrep_path) as f:
sarif_data = json.load(f)
for run in sarif_data.get("runs", []):
for result in run.get("results", []):
report["findings"].append({
"source": "semgrep",
"type": "code_vulnerability",
"severity": result.get("level", "warning").upper(),
"rule_id": result.get("ruleId"),
"message": result.get("message", {}).get("text"),
"location": result.get("locations", [{}])[0].get("physicalLocation", {}).get("artifactLocation", {}).get("uri"),
"line": result.get("locations", [{}])[0].get("physicalLocation", {}).get("region", {}).get("startLine"),
})
# Generate recommendations
if report["summary"]["critical"] > 0:
report["recommendations"].append({
"priority": "P0",
"action": "Address all critical vulnerabilities immediately",
"deadline": "24 hours",
})
if report["summary"]["high"] > 0:
report["recommendations"].append({
"priority": "P1",
"action": "Remediate high severity vulnerabilities",
"deadline": "1 week",
})
return report
if __name__ == "__main__":
results_dir = Path(sys.argv[1] if len(sys.argv) > 1 else "security-reports")
report = generate_report(results_dir)
print(json.dumps(report, indent=2))
# Exit with error if critical vulnerabilities found
if report["summary"]["critical"] > 0:
sys.exit(1)
Usage Examples
Run Full Security Scan
Apply vulnerability-assessment skill to configure comprehensive security scanning pipeline with SAST, DAST, and dependency scanning
Create Threat Model
Apply vulnerability-assessment skill to develop threat model for multi-tenant SaaS application using STRIDE methodology
Configure Container Scanning
Apply vulnerability-assessment skill to set up Trivy container scanning with custom policies and CI/CD integration
OWASP Top 10 Reference
Map vulnerabilities to OWASP Top 10 (2021) for prioritization and compliance:
| ID | Category | Detection Tool | Severity |
|---|---|---|---|
| A01:2021 | Broken Access Control | DAST, Manual | Critical |
| A02:2021 | Cryptographic Failures | SAST, Secrets Scan | Critical |
| A03:2021 | Injection | SAST (Semgrep) | Critical |
| A04:2021 | Insecure Design | Threat Model | High |
| A05:2021 | Security Misconfiguration | IaC Scan, Config Audit | High |
| A06:2021 | Vulnerable Components | Dependency Scan | High |
| A07:2021 | Auth Failures | DAST, SAST | Critical |
| A08:2021 | Software/Data Integrity | SAST, Supply Chain | High |
| A09:2021 | Logging Failures | Code Review | Medium |
| A10:2021 | SSRF | DAST, SAST | High |
OWASP Mapping in Reports:
{
"finding": {
"id": "VULN-001",
"owasp_category": "A03:2021 Injection",
"cwe_id": "CWE-89",
"cvss_score": 9.8,
"remediation_priority": "P0"
}
}
Output Template
Use this template for vulnerability assessment reports:
# Vulnerability Assessment Report
**Project:** [Project Name]
**Date:** [YYYY-MM-DD]
**Assessor:** [Name/Tool]
**Scope:** [Code/Container/Infrastructure]
## Executive Summary
| Severity | Count | % Remediated |
|----------|-------|--------------|
| Critical | X | 0% |
| High | Y | 0% |
| Medium | Z | 0% |
| Low | W | 0% |
**Risk Level:** [Critical/High/Medium/Low]
**Recommendation:** [Proceed/Block/Remediate]
## Findings
### [VULN-001] [Title]
| Field | Value |
|-------|-------|
| Severity | Critical |
| OWASP | A03:2021 Injection |
| CWE | CWE-89 |
| CVSS | 9.8 |
| Location | `src/api/users.py:42` |
| Status | Open |
**Description:** [What the vulnerability is]
**Impact:** [What could happen if exploited]
**Remediation:**
1. [Step 1]
2. [Step 2]
**Evidence:**
\`\`\`
[Code snippet or scan output]
\`\`\`
---
## Remediation Timeline
| Finding | Priority | Deadline | Owner |
|---------|----------|----------|-------|
| VULN-001 | P0 | 24 hours | @security |
| VULN-002 | P1 | 1 week | @backend |
## Sign-Off
- [ ] Security team reviewed
- [ ] Development team acknowledged
- [ ] Remediation plan approved
Integration Points
- cicd-pipeline-design - Security scanning in CI/CD
- compliance-frameworks - Vulnerability management for compliance
- multi-tenant-security - Security testing for tenant isolation
- container-orchestration - Container image security
Success Output
When this skill is successfully applied, output:
✅ SKILL COMPLETE: vulnerability-assessment
Completed:
- [x] SAST scanner configured (Semgrep/CodeQL)
- [x] DAST scanner setup (OWASP ZAP) if applicable
- [x] Dependency scanning pipeline active (npm audit/Snyk/safety)
- [x] Container scanning configured (Trivy)
- [x] Threat model created (STRIDE methodology)
- [x] Security report generated with findings and remediation
Outputs:
- .semgrep.yml (SAST rules)
- .github/workflows/security-scan.yml (CI/CD pipeline)
- trivy.yaml (container scanning config)
- THREAT-MODEL.md (STRIDE analysis)
- security-reports/consolidated-report.json
- Critical vulnerabilities: X, High: Y, Medium: Z
Completion Checklist
Before marking this skill as complete, verify:
- SAST scanner runs without errors in CI/CD
- Custom security rules created for project-specific risks
- Dependency scanner detects known CVEs
- Container images scanned for vulnerabilities
- SARIF results uploaded to GitHub Security tab
- Threat model covers all trust boundaries
- Security report generated with severity classification
- Critical vulnerabilities have remediation plans
- False positives documented and suppressed
- Scanning integrated into pull request checks
Failure Indicators
This skill has FAILED if:
- ❌ SAST scanner not detecting known vulnerabilities (e.g., SQL injection patterns)
- ❌ Dependency scanner missing critical CVEs
- ❌ Container scan fails to identify outdated base images
- ❌ CI/CD pipeline bypasses security checks
- ❌ Threat model missing critical attack vectors
- ❌ Security report shows no issues despite obvious vulnerabilities
- ❌ Scan results not uploaded to security dashboard
- ❌ Build succeeds despite critical vulnerabilities
- ❌ No remediation guidance provided for findings
- ❌ Tools missing from environment (command not found errors)
When NOT to Use
Do NOT use this skill when:
- Prototype/proof-of-concept phase (defer to pre-production)
- No sensitive data or user access (still recommended but lower priority)
- Offline/air-gapped environment without tool access
- Legacy codebase with no remediation budget (creates noise without action)
- Real-time scanning required (use lightweight runtime protection instead)
- Compliance not required and resources very limited
- Development environment only (no deployment planned)
Use alternatives:
- manual-security-review - For air-gapped environments
- runtime-application-protection - For production runtime scanning
- penetration-testing - For comprehensive security validation
- security-code-review - For detailed manual analysis
Anti-Patterns (Avoid)
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Scan but never remediate | Creates vulnerability debt | Prioritize P0 (critical) remediation within 24 hours |
| No baseline | Can't measure improvement | Establish initial vulnerability baseline |
| Scanning in isolation | Results don't reach team | Integrate with GitHub Security, Slack notifications |
| Ignoring false positives | Noise hides real issues | Maintain .trivyignore and suppression files |
| Blocking builds unnecessarily | Slows development | Set thresholds (critical/high only), warn on medium/low |
| Missing scheduled scans | New CVEs not detected | Run daily/weekly scans, not just on PR |
| No threat model | Don't know what to scan for | Create STRIDE analysis before scanning |
| Scanning without context | Generic rules miss domain risks | Customize rules for application-specific threats |
| Tool sprawl | Too many tools, analysis paralysis | Consolidate to 2-3 core tools per category |
Principles
This skill embodies CODITECT core principles:
#4 Shift Left on Security
- Scan early in development cycle (pre-commit, PR, CI/CD)
- Prevent vulnerabilities from reaching production
- Automated remediation guidance at discovery time
#5 Eliminate Ambiguity
- Clear severity classification (CRITICAL/HIGH/MEDIUM/LOW)
- Explicit CVE IDs and CWE categories
- Remediation steps with specific version upgrades
#6 Clear, Understandable, Explainable
- Threat model explains attack vectors in plain language
- Security reports include OWASP Top 10 mapping
- SARIF format enables GitHub Security integration
#8 No Assumptions
- Validate tool installation before running scans
- Verify scan completeness (check for skipped files)
- Test remediation before marking vulnerability resolved
#9 Evidence-Based Decisions
- CVE database and NVD provide ground truth
- CVSS scores guide prioritization
- Threat model based on STRIDE methodology (proven framework)
#10 Research When in Doubt
- CVE databases updated daily (verify latest)
- New attack patterns emerge (update custom rules)
- Scanning tools evolve (check for new features)
Full Standard: CODITECT-STANDARD-AUTOMATION.md