security-scan
The security-scan command performs a comprehensive code security audit across multiple phases, detecting hardcoded secrets like API keys and passwords, scanning dependencies for known vulnerabilities across Node.js, Python, Go, and Rust ecosystems, identifying dangerous code patterns including SQL injection, command injection, XSS, and path traversal risks, and verifying security configurations such as disabled debug modes and proper CORS settings. Use this before commits and pull requests to catch exploitable vulnerabilities before deployment.
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/CloudAI-X/claude-workflow-v2/HEAD/commands/security-scan.md -o ~/.claude/commands/security-scan.mdsecurity-scan.md
# Security Scan
Security-focused code scanning. Run before commits and PRs to catch vulnerabilities.
## Phase 1: Secret Detection
Scan for hardcoded credentials:
```bash
# Common secret patterns
grep -rn "password\s*[=:]\s*['\"]" --include=*.js --include=*.ts --include=*.py --include=*.go --include=*.java --include=*.rb . 2>/dev/null | grep -v node_modules | grep -v ".git"
grep -rn "api[_-]?key\s*[=:]\s*['\"]" --include=*.js --include=*.ts --include=*.py --include=*.go --include=*.java --include=*.rb . 2>/dev/null | grep -v node_modules
grep -rn "secret\s*[=:]\s*['\"]" --include=*.js --include=*.ts --include=*.py --include=*.go --include=*.java --include=*.rb . 2>/dev/null | grep -v node_modules
grep -rn "token\s*[=:]\s*['\"]" --include=*.js --include=*.ts --include=*.py --include=*.go --include=*.java --include=*.rb . 2>/dev/null | grep -v node_modules
# AWS keys
grep -rn "AKIA[0-9A-Z]{16}" . 2>/dev/null | grep -v node_modules
# Private keys
find . -name "*.pem" -o -name "*.key" -o -name "id_rsa" 2>/dev/null | grep -v node_modules
```
## Phase 2: Dependency Audit
Check for vulnerable dependencies:
### Node.js
```bash
npm audit --json 2>/dev/null | head -100
# or
yarn audit --json 2>/dev/null | head -100
```
### Python
```bash
pip-audit 2>/dev/null || safety check 2>/dev/null
```
### Go
```bash
govulncheck ./... 2>/dev/null
```
### Rust
```bash
cargo audit 2>/dev/null
```
## Phase 3: Code Pattern Analysis
Check for dangerous patterns:
### SQL Injection
- String concatenation in SQL queries
- Unparameterized queries
- Dynamic table/column names from user input
### Command Injection
- Shell execution with user input (`exec`, `system`, `subprocess`)
- Unsanitized path construction
### XSS Vulnerabilities
- `innerHTML` with user data
- `dangerouslySetInnerHTML` without sanitization
- Unescaped template variables
### Path Traversal
- User input in file paths without sanitization
- Missing `..` checks
## Phase 4: Configuration Check
Verify security settings:
- [ ] Debug mode disabled in production configs
- [ ] HTTPS enforced (no HTTP URLs in prod)
- [ ] CORS properly configured
- [ ] Security headers present (CSP, X-Frame-Options, etc.)
- [ ] No default/weak passwords in configs
## Output Format
```
## Security Scan: [PASS/FAIL/WARNINGS]
### Secrets Detected: [count]
1. **CRITICAL** - `file:line`
- Type: [API key/password/token/private key]
- Action: Remove immediately and rotate credential
### Vulnerable Dependencies: [count]
1. **[package@version]** - Severity: [Critical/High/Medium/Low]
- CVE: [CVE number if available]
- Fixed in: [version]
- Action: Update to [version]
### Code Vulnerabilities: [count]
1. **[Vulnerability Type]** - `file:line`
- Risk: [description]
- Fix: [remediation steps]
### Configuration Issues: [count]
1. **[Issue]**
- Current: [state]
- Recommended: [secure state]
### Recommendations
1. [Prioritized action items]
```
## NEVER Commit If
- Secrets detected in code (rotate and remove)
- Critical CVEs in dependencies (update first)
- Obvious injection vulnerabilities (fix first)
## Usage
This command ships with the project-starter plugin. Invoke with: `/project-starter:security-scan`Expert code review specialist. Use PROACTIVELY after writing or modifying code, before commits, when asked to review changes, PR review, code quality check, lint, or standards audit. Focuses on quality, security, performance, and maintainability.
Expert debugging specialist for errors, test failures, crashes, segmentation faults, memory leaks, timeouts, race conditions, deadlocks, and unexpected behavior. Use PROACTIVELY when encountering any error, exception, or failing test. Performs systematic root cause analysis.
Technical documentation specialist. Use for creating README files, API documentation, architecture docs, inline comments, user guides, changelogs, migration guides, release notes, FAQs, and troubleshooting docs. MUST BE USED when documentation is needed or when code changes require doc updates.
Master coordinator for complex multi-step tasks. Use PROACTIVELY when a task involves 2+ modules, requires delegation to specialists, needs architectural planning, or involves GitHub PR workflows. MUST BE USED for open-ended requests like "improve", "enhance", "build", "scale", "refactor", "add feature", "system design", "architecture", "complex task", or when implementing features from GitHub issues.
Code refactoring specialist for improving code quality, reducing technical debt, eliminating code smells, reducing complexity, and applying design patterns. Use PROACTIVELY when code needs restructuring, simplification, tech debt reduction, or when applying DRY/SOLID principles.
Security specialist for vulnerability detection, secure coding review, and security hardening. Use PROACTIVELY when handling authentication, authorization, encryption, secrets, credentials, OAuth, JWT, CORS, headers, user input, API keys, or sensitive data. Checks for OWASP Top 10 and common vulnerabilities.
Testing strategy specialist for designing test suites, writing tests, and ensuring comprehensive coverage. Use PROACTIVELY when adding new features, fixing bugs, improving test coverage, creating test plans, mocking strategies, handling flaky tests, or writing integration/E2E tests.
Add tests for recently changed files or specified code