source code scanning

Skill

Security-focused source code review and SAST. Scans for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in third-party dependencies/packages, hardcoded secrets, malicious code, and insecure patterns. Use when given source code, a repo path, or asked to "audit", "scan", "review" code security, or "check dependencies for CVEs".

Files7
  • @skills/source-code-scanning/SKILL.md
  • @skills/source-code-scanning/reference/dependency-cve-scanning.md
  • @skills/source-code-scanning/reference/language-patterns.md
  • @skills/source-code-scanning/reference/malicious-code.md
  • @skills/source-code-scanning/reference/manual-review.md
  • @skills/source-code-scanning/reference/sast-tools.md
  • @skills/source-code-scanning/reference/secrets-detection.md

Source Code Security Review

Quick Start

  1. Identify - languages, frameworks, package managers present
  2. Automated SAST - run tools appropriate to the stack
  3. Dependency CVEs - scan lockfiles/manifests for known CVEs
  4. Secrets scan - detect hardcoded credentials/tokens
  5. Manual review - trace high-risk sinks (exec, eval, query, deserialize)
  6. Malicious code - check for backdoors, obfuscation, suspicious network calls
  7. Report - findings with CWE/CVE refs, severity, PoC, remediation

Workflow

Phase 1: Enumerate

text
- Languages: ls **/*.{py,js,ts,java,go,rb,php,cs,rs}
- Packages: find package.json, requirements.txt, go.mod, pom.xml, Gemfile, composer.json, Cargo.toml
- Entry points: main(), index.*, app.*, server.*
- Config files: .env*, config.*, settings.*, *.yaml, *.toml

Phase 2: Automated SAST

See sast-tools.md [blocked] for commands per language.
Key tools:
  • Multi-language: Semgrep (semgrep --config=auto .)
  • Python: Bandit (bandit -r . -f json)
  • JavaScript/TS: ESLint security plugin, njsscan
  • Java: SpotBugs + FindSecBugs
  • Go: gosec (gosec ./...)
  • PHP: PHPCS Security Audit
  • Ruby: Brakeman (brakeman -o report.json)
  • All: CodeQL (via gh codeql)

Phase 3: Dependency CVE Scan

See dependency-cve-scanning.md [blocked] for commands.
EcosystemCommand
npm/yarnnpm audit --json / yarn audit
Pythonpip-audit -r requirements.txt
Javadependency-check --scan .
Gogovulncheck ./...
Rubybundle audit
Generictrivy fs . / grype dir:.

Phase 4: Secrets Detection

See secrets-detection.md [blocked].
bash
trufflehog filesystem . --json
gitleaks detect --source . -v

Phase 5: Manual Review

Focus on high-risk sinks — see manual-review.md [blocked]:
  • Injection sinks: exec, eval, query, system, popen
  • Deserialization: pickle.loads, ObjectInputStream, unserialize
  • Crypto: hardcoded keys, weak algorithms (MD5, SHA1, DES, ECB)
  • Auth: JWT validation, session management, RBAC enforcement
  • File ops: path construction with user input

Phase 6: Malicious Code

See malicious-code.md [blocked]:
  • Obfuscated strings (base64, hex, charCode)
  • Unexpected network calls in library code
  • Typosquatting indicators
  • Postinstall/lifecycle script abuse
  • Hidden backdoors in dependencies

Language-Specific Patterns

See language-patterns.md [blocked] for Python, JS, Java, Go, PHP, Ruby.

Severity Mapping

SeverityCVSSExamples
Critical9.0+RCE, SQLi with exfil, auth bypass
High7.0-8.9Stored XSS, SSRF, insecure deserialization
Medium4.0-6.9Reflected XSS, info disclosure, IDOR
Low0.1-3.9Missing headers, verbose errors

Output Format

text
findings/
  <severity>-<vuln-type>-<location>.md   # One file per finding
evidence/
  <tool>-output.json                      # Raw tool output
summary-report.md                         # Executive summary
Each finding: CWE/CVE ID | File:Line | Severity | PoC | Remediation

Mobile App Analysis (APK/IPA)

When given a mobile app binary:
  1. Extract: unzip app.apk -d extracted/ (APKs are ZIP archives)
  2. Identify framework: React Native (assets/index.android.bundle), Flutter (libflutter.so), Xamarin, or native
  3. React Native: JS bundle is plaintext — search for secrets, API keys, config objects, hardcoded tokens
  4. Encoded secrets: Search for base64 prefixes of known flag/secret formats (e.g., RkxBR = base64 of FLAG). Config objects often store secrets as base64 in debug, secret, apiKey fields
  5. Native: Use jadx for Java/Kotlin decompilation, check AndroidManifest.xml, strings.xml, BuildConfig
  6. Shared libs: Check .so files with strings for hardcoded credentials

Critical Rules

  • Never execute untrusted code during review
  • Treat all findings as potential until verified
  • Always cross-reference CVEs against actual version in use
  • Report supply chain issues separately (they affect all users)
source-code-scanning — Kortix Marketplace | Kortix