Security Scanner
Goal: Scan code for security vulnerabilities: OWASP Top 10, LLM Top 10, secrets, dependency CVEs
Description
Performs comprehensive security scanning on generated code. Checks for OWASP Top 10 vulnerabilities (SQL injection, XSS, broken auth), LLM-specific risks (prompt injection patterns, excessive agency), hardcoded secrets, and dependency vulnerabilities. Blocks deployment if CRITICAL vulnerabilities found.
Usage
- •"Scan code for security vulnerabilities"
- •"Run security checks on [files]"
- •"Check for OWASP Top 10 issues"
When to Use
- •After quality-gate-checker passes
- •Before code review
- •Required for deployment approval
Pipeline Contract (sdlc-tdd-full.lobster)
Inputs:
- •
files(JSON array): Implementation files to scan - •
config(string): Path to quality-gates.yaml (default: config/quality-gates.yaml)
Output: JSON with structure:
json
{
"status": "PASS",
"vulnerabilities": [],
"owasp_checks": {
"sql_injection": {"found": 0, "status": "PASS"},
"xss": {"found": 0, "status": "PASS"},
"broken_access_control": {"found": 0, "status": "PASS"},
"command_injection": {"found": 0, "status": "PASS"},
"ssrf": {"found": 0, "status": "PASS"}
},
"secret_scan": {
"secrets_found": 0,
"status": "PASS",
"findings": []
},
"dependency_scan": {
"critical": 0,
"high": 0,
"medium": 3,
"low": 5,
"status": "PASS",
"vulnerabilities": []
},
"llm_security": {
"prompt_injection_patterns": 0,
"status": "PASS"
}
}
Implementation
Execute in order. Do not run Lobster or any pipeline.
Step 1: Detect Language
- •Scan files to determine language (Python vs JavaScript/TypeScript)
- •Select appropriate security tools for detected language
Step 2: Static Analysis (OWASP Top 10)
Python (Bandit):
bash
bandit -r src/ api/ -f json --severity-level medium
- •Parse JSON output for vulnerabilities
- •Check for: SQL injection (B608), command injection (B602), hardcoded passwords (B105/B106)
JavaScript (ESLint + security plugin):
bash
eslint src/ --plugin security --format json
- •Check for: eval usage, innerHTML without sanitization, crypto issues
Manual Pattern Detection:
SQL Injection:
- •Look for string concatenation/f-strings in SQL queries
- •Pattern:
f"SELECT * FROM users WHERE id={user_id}" - •CRITICAL if found
XSS:
- •Look for:
innerHTML,dangerouslySetInnerHTMLwithout sanitization - •Look for: User input rendered without escaping
- •HIGH if found
Broken Access Control:
- •Check for missing
@require_authdecorators on endpoints - •Check for missing ownership validation (
if g.user_id != resource.user_id) - •HIGH if found
Command Injection:
- •Look for:
subprocess.run(shell=True),os.system(),exec() - •Look for: User input in shell commands
- •CRITICAL if found
SSRF:
- •Look for:
requests.get(user_url)without validation - •Check for URL whitelist/validation
- •HIGH if found
Output:
json
{
"sql_injection": {
"found": 0,
"status": "PASS",
"findings": []
},
"xss": {
"found": 0,
"status": "PASS",
"findings": []
},
"broken_access_control": {
"found": 1,
"status": "FAIL",
"findings": [
{
"file": "api/endpoints/profile.py",
"line": 42,
"severity": "HIGH",
"issue": "Missing @require_auth decorator on endpoint",
"recommendation": "Add @require_auth decorator to enforce authentication"
}
]
}
}
Step 3: Dependency Scanning
Python (pip-audit):
bash
pip-audit --format json
- •Parse JSON: package, version, vulnerability ID, severity
- •FAIL if any CRITICAL or HIGH CVEs
JavaScript (npm audit):
bash
npm audit --json
- •Parse JSON: advisories with severity levels
- •FAIL if any HIGH or CRITICAL
Output:
json
{
"critical": 0,
"high": 0,
"medium": 3,
"low": 5,
"status": "PASS",
"vulnerabilities": [
{
"package": "requests",
"version": "2.25.0",
"vulnerability": "CVE-2023-12345",
"severity": "medium",
"recommendation": "Upgrade to 2.31.0+"
}
]
}
Step 4: Secret Scanning
TruffleHog:
bash
trufflehog filesystem src/ api/ --json --only-verified
- •Detect: API keys, passwords, tokens, private keys, database URLs
detect-secrets:
bash
detect-secrets scan src/ api/ --baseline .secrets.baseline
- •Cross-reference with baseline (known false positives)
Manual Pattern Check:
- •Search for patterns in config/prompt-injection-patterns.txt
- •Look for:
API_KEY = "sk-...",PASSWORD = "...",JWT_SECRET = "..."
FAIL if any secrets found (blocking).
Output:
json
{
"secrets_found": 0,
"status": "PASS",
"findings": []
}
If secrets found:
json
{
"secrets_found": 2,
"status": "FAIL",
"findings": [
{
"file": "api/config.py",
"line": 12,
"type": "API Key",
"pattern": "sk-[A-Za-z0-9]{32}",
"recommendation": "Move to environment variable: API_KEY = os.getenv('API_KEY')"
}
]
}
Step 5: OWASP Top 10 Pattern Detection
Check for specific vulnerability patterns:
1. SQL Injection:
python
# BAD patterns to detect:
db.execute(f"SELECT * FROM users WHERE id={user_id}")
db.execute("SELECT * FROM users WHERE id=" + user_id)
cursor.execute("DELETE FROM users WHERE email='" + email + "'")
2. XSS:
javascript
// BAD patterns to detect:
element.innerHTML = userInput;
<div dangerouslySetInnerHTML={{__html: userInput}} />
document.write(userInput);
3. Broken Auth:
python
# BAD patterns to detect:
@app.route("/api/admin") # Missing @require_auth
def admin_panel():
# No authentication check
4. Command Injection:
python
# BAD patterns to detect:
subprocess.run(f"convert {user_file}", shell=True)
os.system("rm " + user_file)
5. SSRF:
python
# BAD patterns to detect: requests.get(user_provided_url) # No validation urllib.request.urlopen(callback_url) # No whitelist
For each pattern found, create vulnerability entry with:
- •file, line, severity (CRITICAL/HIGH/MEDIUM)
- •description of issue
- •recommendation for fix
Step 6: LLM Security Checks
From docs/SECURITY-HARDENING-AGENTIC.md:
Prompt Injection Patterns:
- •Search code for prompt strings that might be vulnerable
- •Check against patterns in config/prompt-injection-patterns.txt
- •Look for: "ignore previous instructions", code injection in prompts
Excessive Agency:
- •Check for rate limits on API endpoints
- •Verify approval gates exist for critical operations
- •Ensure sandboxing/isolation for code execution
System Prompt Leakage:
- •Search for hardcoded prompt paths in code
- •Look for: "SKILL.md", "system_prompt", hardcoded instructions
Output:
json
{
"prompt_injection_patterns": 0,
"excessive_agency": false,
"system_prompt_leakage": false,
"status": "PASS"
}
Step 7: Aggregate Results
Determine overall status:
- •PASS: No CRITICAL or HIGH vulnerabilities
- •FAIL: Any of:
- •CRITICAL vulnerabilities found
- •HIGH vulnerabilities found
- •Secrets found
- •Dependency CVEs (CRITICAL/HIGH)
Collect vulnerabilities array:
json
{
"vulnerabilities": [
{
"severity": "HIGH",
"type": "Broken Access Control",
"file": "api/endpoints/profile.py",
"line": 42,
"issue": "Missing @require_auth decorator",
"recommendation": "Add @require_auth decorator to enforce authentication"
}
]
}
Step 8: Output Results
Generate JSON with:
- •status: PASS or FAIL
- •vulnerabilities: Array of findings with severity, type, file, line, recommendation
- •owasp_checks: Object with checks for each OWASP category
- •secret_scan: Object with secrets found
- •dependency_scan: Object with CVE counts by severity
- •llm_security: Object with LLM-specific checks
Output Format
Markdown summary + JSON block for pipeline consumption:
markdown
# Security Scan Report
## Summary
**Status**: ✅ PASS
## OWASP Top 10 Checks
✅ **SQL Injection**: No vulnerabilities found
✅ **XSS**: No vulnerabilities found
✅ **Broken Access Control**: No vulnerabilities found
✅ **Command Injection**: No vulnerabilities found
✅ **SSRF**: No vulnerabilities found
## Secret Scanning
✅ **Hardcoded Secrets**: None found
- TruffleHog: 0 secrets detected
- detect-secrets: 0 new secrets (baseline clean)
## Dependency Vulnerabilities
✅ **Critical**: 0
✅ **High**: 0
⚠️ **Medium**: 3
ℹ️ **Low**: 5
Medium severity vulnerabilities (non-blocking):
- requests 2.25.0 → CVE-2023-12345 (upgrade to 2.31.0+)
- flask 2.0.1 → CVE-2023-67890 (upgrade to 2.3.0+)
- lodash 4.17.19 → CVE-2023-11111 (upgrade to 4.17.21+)
## LLM Security
✅ **Prompt Injection**: No suspicious patterns found
✅ **Excessive Agency**: Rate limits configured
✅ **System Prompt Leakage**: No hardcoded prompts
## Vulnerabilities Found
None - Security scan PASSED ✅
## Recommendations
- Upgrade medium-severity dependencies (non-blocking)
- Consider adding security headers (Content-Security-Policy, X-Frame-Options)
```json
{
"status": "PASS",
"vulnerabilities": [],
"owasp_checks": {
"sql_injection": {"found": 0, "status": "PASS"},
"xss": {"found": 0, "status": "PASS"},
"broken_access_control": {"found": 0, "status": "PASS"},
"command_injection": {"found": 0, "status": "PASS"},
"ssrf": {"found": 0, "status": "PASS"}
},
"secret_scan": {
"secrets_found": 0,
"status": "PASS"
},
"dependency_scan": {
"critical": 0,
"high": 0,
"medium": 3,
"low": 5,
"status": "PASS"
},
"llm_security": {
"prompt_injection_patterns": 0,
"status": "PASS"
}
}
code
## Notes - CRITICAL vulnerabilities BLOCK deployment - HIGH vulnerabilities BLOCK deployment - MEDIUM vulnerabilities warn but don't block - Secrets are always blocking (no exceptions) - Follow remediation recommendations before proceeding - Re-run scan after fixing vulnerabilities