security-scanner

📁 kanopi/cms-cultivator 📅 Jan 26, 2026

总安装量

周安装量

安装命令

npx skills add https://github.com/kanopi/cms-cultivator --skill security-scanner

Agent 安装分布

cursor 3

antigravity 3

claude-code 3

codex 3

mcpjam 2

goose 2

Skill 文档

Security Scanner

Automatically scan code for security vulnerabilities.

Security Philosophy

Security is a continuous practice, not a one-time fix.

Core Beliefs

Defense in Depth: Multiple layers of security controls
Least Privilege: Grant minimum access necessary
Secure by Default: Safe configurations out of the box
Fail Securely: Errors should deny access, not grant it

Scope Balance

Quick checks (this skill): Fast feedback on specific code patterns (catches common vulnerabilities)
Comprehensive audits (/audit-security command): Full OWASP Top 10 scan with dependency checks
Penetration testing: Professional security testing (irreplaceable for production systems)

This skill provides rapid feedback during development. For production readiness, use comprehensive audits + professional pentesting.

When to Use This Skill

Activate this skill when the user:

Asks “is this secure?”
Shows code handling user input
Mentions “security vulnerability”, “exploit”, or “hack”
References XSS, SQL injection, CSRF, or authentication
Shows database queries or file operations
Asks “could this be exploited?”

Decision Framework

Before scanning for security issues, assess:

What’s the Attack Surface?

User input â Check for injection vulnerabilities (SQL, XSS, command injection)
Authentication â Check for weak passwords, session handling, brute force protection
Authorization â Check for privilege escalation, IDOR, access control
File operations â Check for path traversal, unrestricted uploads
API endpoints â Check for rate limiting, authentication, CORS

What’s the Risk Level?

Critical risks (prioritize first):

SQL injection in authentication
XSS on admin pages
Authentication bypass
Remote code execution
Data exposure (PII, passwords)

High risks:

CSRF on state-changing operations
Authorization flaws
Insecure file uploads
Weak session management

Medium/Low risks:

Information disclosure
Missing security headers
Weak error messages

What Type of Code Is This?

User-facing:

Forms â Check input validation, CSRF tokens
Search â Check SQL injection, XSS
File uploads â Check file type, size, path validation

Backend:

Database queries â Check parameterization
File system â Check path traversal
External API calls â Check credential handling

Authentication/Authorization:

Login â Check brute force protection, password requirements
Sessions â Check secure flags, timeout
Permissions â Check role-based access control

What Platform Standards Apply?

Drupal:

Use database API (no raw queries)
Use Form API (built-in CSRF)
Use Render API (auto-escaping)
Check permissions with hasPermission()

WordPress:

Use wpdb->prepare() for queries
Use wp_nonce_field() for CSRF
Use esc_html(), esc_attr() for output
Check permissions with current_user_can()

Decision Tree

User shows code or asks about security
    â
Identify attack surface (input/auth/files)
    â
Assess risk level (Critical/High/Medium)
    â
Check against OWASP Top 10
    â
Apply platform-specific patterns
    â
Report vulnerabilities with fixes
    â
Prioritize by exploitability and impact

Best Practices

DO:

â Always validate and sanitize user input
â Use parameterized queries or ORM for database operations
â Escape output based on context (HTML, JavaScript, URL, CSS)
â Implement CSRF protection on all state-changing operations
â Check permissions before sensitive operations
â Use strong, unique API keys and rotate them regularly
â Log security-relevant events (failed logins, permission denials)
â Keep dependencies updated and scan for CVEs
â Use HTTPS for all data transmission

DON’T:

â Trust user input without validation
â Build SQL queries with string concatenation
â Echo user input directly without escaping
â Store passwords in plain text or use weak hashing
â Hard-code secrets, API keys, or credentials in code
â Use eval(), unserialize(), or exec() with user input
â Disable security features (CSRF protection, XSS filters)
â Expose detailed error messages to end users
â Use outdated cryptographic algorithms (MD5, SHA1 for passwords)
â Assume data from database or API is safe (defense in depth)

Quick Security Checks

1. SQL Injection

Vulnerable Pattern:

// â DANGEROUS
$query = "SELECT * FROM users WHERE id = " . $_GET['id'];
db_query($query);

Secure Pattern:

// â SECURE
$query = db_select('users', 'u')
  ->condition('id', $id, '=')
  ->execute();

// Or with placeholders
$query = "SELECT * FROM users WHERE id = :id";
db_query($query, [':id' => $id]);

2. Cross-Site Scripting (XSS)

Vulnerable Pattern:

// â DANGEROUS
echo "<div>" . $_POST['name'] . "</div>";

Secure Pattern:

// â SECURE (Drupal)
echo "<div>" . Html::escape($_POST['name']) . "</div>";

// â SECURE (WordPress)
echo "<div>" . esc_html( $_POST['name'] ) . "</div>";

3. CSRF (Cross-Site Request Forgery)

Vulnerable Pattern:

// â DANGEROUS - No CSRF protection
if ($_POST['action'] === 'delete') {
  delete_user($_POST['user_id']);
}

Secure Pattern:

// â SECURE (Drupal) - CSRF token validation
if ($_POST['form_token'] && \Drupal::csrfToken()->validate($_POST['form_token'])) {
  delete_user($_POST['user_id']);
}

// â SECURE (WordPress) - Nonce validation
if (wp_verify_nonce($_POST['_wpnonce'], 'delete_user')) {
  delete_user($_POST['user_id']);
}

4. Authentication Bypass

Check for:

Missing permission checks
Hardcoded credentials
Weak password requirements
Session fixation vulnerabilities

5. File Upload Vulnerabilities

Vulnerable Pattern:

// â DANGEROUS - No validation
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $_FILES['file']['name']);

Secure Pattern:

// â SECURE
$allowed_types = ['jpg', 'png', 'pdf'];
$extension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

if (in_array(strtolower($extension), $allowed_types)) {
  $safe_name = preg_replace('/[^a-zA-Z0-9_-]/', '', basename($_FILES['file']['name']));
  move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $safe_name);
}

Response Format

## Security Scan Results

### ð´ Critical Issues (Fix Immediately)

**1. SQL Injection Vulnerability**
- **Location**: `src/Controller/UserController.php:45`
- **Risk**: Critical - Allows database manipulation
- **Code**:
  ```php
  $query = "SELECT * FROM users WHERE id = " . $_GET['id'];

Fix:

$query = $connection->select('users', 'u')
  ->condition('id', $id, '=')
  ->execute();

OWASP: A03:2021 â Injection

ð High Priority

2. Missing CSRF Protection

Location: src/Form/DeleteForm.php:67
Risk: High – Allows unauthorized actions
Fix: Add CSRF token validation

ð¡ Medium Priority

3. Weak Password Policy

Current: Minimum 6 characters
Recommended: Minimum 12 characters + complexity rules

â Secure Patterns Found

â Output properly escaped (XSS protection)
â Access checks on admin routes
â File upload validation present


## OWASP Top 10 Quick Check

1. **Injection** - SQL, command, LDAP injection
2. **Broken Authentication** - Weak passwords, session management
3. **Sensitive Data Exposure** - Unencrypted data, weak crypto
4. **XML External Entities (XXE)** - XML parsing vulnerabilities
5. **Broken Access Control** - Missing permission checks
6. **Security Misconfiguration** - Default configs, verbose errors
7. **XSS** - Unescaped user input
8. **Insecure Deserialization** - Unsafe object deserialization
9. **Known Vulnerabilities** - Outdated dependencies
10. **Insufficient Logging** - No audit trail

## Platform-Specific Security

### Drupal Security

**Use**:
- `\Drupal\Component\Utility\Html::escape()` for output
- `\Drupal::database()->select()` for queries
- `\Drupal::csrfToken()->validate()` for forms
- `$this->currentUser()->hasPermission()` for access checks

### WordPress Security

**Use**:
- `esc_html()`, `esc_attr()`, `esc_url()` for output
- `$wpdb->prepare()` for queries
- `wp_verify_nonce()` for forms
- `current_user_can()` for permissions

## Integration with /audit-security Command

- **This Skill**: Focused code-level security checks
  - "Is this query secure?"
  - "Check this form for vulnerabilities"
  - Single function/file analysis

- **`/audit-security` Command**: Comprehensive security audit
  - Full OWASP Top 10 scan
  - Dependency vulnerability check
  - File permission analysis
  - Secrets detection

## Common Vulnerabilities

### Input Validation
```php
// â No validation
$age = $_POST['age'];

// â Validated
$age = filter_var($_POST['age'], FILTER_VALIDATE_INT, [
  'options' => ['min_range' => 1, 'max_range' => 120]
]);

Output Escaping

// â Unescaped
echo $user_input;

// â Escaped (context-appropriate)
echo Html::escape($user_input);           // HTML context
echo Html::escape($user_input, ENT_QUOTES); // Attribute context
echo json_encode($user_input);            // JSON context

Access Control

// â No permission check
function deleteUser($uid) {
  User::load($uid)->delete();
}

// â Permission checked
function deleteUser($uid) {
  if (!\Drupal::currentUser()->hasPermission('delete users')) {
    throw new AccessDeniedHttpException();
  }
  User::load($uid)->delete();
}

Resources

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台

security-scanner

Agent 安装分布

Skill 文档

Security Scanner

Security Philosophy

Core Beliefs

Scope Balance

When to Use This Skill

Decision Framework

What’s the Attack Surface?

What’s the Risk Level?

What Type of Code Is This?

What Platform Standards Apply?

Decision Tree

Best Practices

DO:

DON’T:

Quick Security Checks

1. SQL Injection

2. Cross-Site Scripting (XSS)

3. CSRF (Cross-Site Request Forgery)

4. Authentication Bypass

5. File Upload Vulnerabilities

Response Format

ð High Priority

ð¡ Medium Priority

â Secure Patterns Found

Output Escaping

Access Control

Resources

ð High Priority

ð¡ Medium Priority

â Secure Patterns Found