Vulnerability Scanner
Advanced vulnerability analysis for OWASP 2025, supply chain security, attack surface mapping, and risk prioritization.
Description
USE WHEN:
Auditing code for security vulnerabilities
Reviewing dependencies for supply chain risks
Scanning for hardcoded secrets or credentials
Identifying dangerous code patterns (injection, XSS, deserialization)
Preparing for security audits or penetration tests
Prioritizing vulnerability remediation by risk
DON'T USE WHEN:
Need runtime dynamic analysis (use actual pentest tools)
Scanning compiled binaries (this is source-code focused)
Need compliance-specific audits (PCI-DSS, HIPAA have dedicated tools)
Scripts
Script Purpose Usage scripts/security_scan.pyFull security scan python scripts/security_scan.py <path> [--scan-type all|deps|secrets|patterns|config]
Quick Start
bash # Full scan
python scripts/security_scan.py /path/to/project
# Just check for secrets
python scripts/security_scan.py /path/to/project --scan-type secrets
# Summary output
python scripts/security_scan.py /path/to/project --output summary
Reference Files
File Purpose checklists.md OWASP Top 10, Auth, API, Data protection checklists
1. Security Expert Mindset
Core Principles
Principle Application Assume Breach Design as if attacker already inside Zero Trust Never trust, always verify Defense in Depth Multiple layers, no single point Least Privilege Minimum required access only Fail Secure On error, deny access
Threat Modeling Questions
Before scanning, ask:
What are we protecting? (Assets)
Who would attack? (Threat actors)
How would they attack? (Attack vectors)
What's the impact? (Business risk)
2. OWASP Top 10:2025
Risk Categories
Rank Category Think About A01 Broken Access Control Who can access what? IDOR, SSRF A02 Security Misconfiguration Defaults, headers, exposed services A03 Software Supply Chain π Dependencies, CI/CD, build integrity A04 Cryptographic Failures Weak crypto, exposed secrets A05 Injection User input β system commands A06 Insecure Design Flawed architecture A07 Authentication Failures Session, credential management A08 Integrity Failures Unsigned updates, tampered data A09 Logging & Alerting Blind spots, no monitoring A10 Exceptional Conditions π Error handling, fail-open states
2025 Key Changes
text 2021 β 2025 Shifts:
βββ SSRF merged into A01 (Access Control)
βββ A02 elevated (Cloud/Container configs)
βββ A03 NEW: Supply Chain (major focus)
βββ A10 NEW: Exceptional Conditions
βββ Focus shift: Root causes > Symptoms
3. Supply Chain Security (A03)
Attack Surface
Vector Risk Question to Ask Dependencies Malicious packages Do we audit new deps? Lock files Integrity attacks Are they committed? Build pipeline CI/CD compromise Who can modify? Registry Typosquatting Verified sources?
Defense Principles
Verify package integrity (checksums)
Pin versions, audit updates
Use private registries for critical deps
Sign and verify artifacts
4. Attack Surface Mapping
What to Map
Category Elements Entry Points APIs, forms, file uploads Data Flows Input β Process β Output Trust Boundaries Where auth/authz checked Assets Secrets, PII, business data
Prioritization Matrix
text Risk = Likelihood Γ Impact
High Impact + High Likelihood β CRITICAL
High Impact + Low Likelihood β HIGH
Low Impact + High Likelihood β MEDIUM
Low Impact + Low Likelihood β LOW
5. Risk Prioritization
CVSS + Context
Factor Weight Question CVSS Score Base severity How severe is the vuln? EPSS Score Exploit likelihood Is it being exploited? Asset Value Business context What's at risk? Exposure Attack surface Internet-facing?
Prioritization Decision Tree
text Is it actively exploited (EPSS >0.5)?
βββ YES β CRITICAL: Immediate action
βββ NO β Check CVSS
βββ CVSS β₯9.0 β HIGH
βββ CVSS 7.0-8.9 β Consider asset value
βββ CVSS <7.0 β Schedule for later
6. Exceptional Conditions (A10 - New)
Fail-Open vs Fail-Closed
Scenario Fail-Open (BAD) Fail-Closed (GOOD) Auth error Allow access Deny access Parsing fails Accept input Reject input Timeout Retry forever Limit + abort
What to Check
Exception handlers that catch-all and ignore
Missing error handling on security operations
Race conditions in auth/authz
Resource exhaustion scenarios
7. Scanning Methodology
Phase-Based Approach
text 1. RECONNAISSANCE
βββ Understand the target
βββ Technology stack
βββ Entry points
βββ Data flows
2. DISCOVERY
βββ Identify potential issues
βββ Configuration review
βββ Dependency analysis
βββ Code pattern search
3. ANALYSIS
βββ Validate and prioritize
βββ False positive elimination
βββ Risk scoring
βββ Attack chain mapping
4. REPORTING
βββ Actionable findings
βββ Clear reproduction steps
βββ Business impact
βββ Remediation guidance
8. Code Pattern Analysis
High-Risk Patterns
Pattern Risk Look For String concat in queries Injection "SELECT * FROM " + user_inputDynamic code execution RCE eval(), exec(), Function()Unsafe deserialization RCE pickle.loads(), unserialize()Path manipulation Traversal User input in file paths Disabled security Various verify=False, --insecure
Secret Patterns
Type Indicators API Keys api_key, apikey, high entropyTokens token, bearer, jwtCredentials password, secret, keyCloud AWS_, AZURE_, GCP_ prefixes
9. Cloud Security Considerations
Shared Responsibility
Layer You Own Provider Owns Data β
β Application β
β OS/Runtime Depends Depends Infrastructure β β
Cloud-Specific Checks
IAM: Least privilege applied?
Storage: Public buckets?
Network: Security groups tightened?
Secrets: Using secrets manager?
10. Anti-Patterns
β Don't β
Do Scan without understanding Map attack surface first Alert on every CVE Prioritize by exploitability + asset Ignore false positives Maintain verified baseline Fix symptoms only Address root causes Scan once before deploy Continuous scanning Trust third-party deps blindly Verify integrity, audit code
11. Reporting Principles
Finding Structure
Each finding should answer:
What? - Clear vulnerability description
Where? - Exact location (file, line, endpoint)
Why? - Root cause explanation
Impact? - Business consequence
How to fix? - Specific remediation
Severity Classification
Severity Criteria Critical RCE, auth bypass, mass data exposure High Data exposure, privilege escalation Medium Limited scope, requires conditions Low Informational, best practice
Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"