renolation/english
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
renolation
2026-04-12 01:06:31 +07:00
commit 10d660cbcb
1066 changed files with 228596 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
.opencode/skills/security-scan/SKILL.md Normal file
View File

@@ -0,0 +1,141 @@
---
name: ck:security-scan
description: "Scan codebase for security vulnerabilities, hardcoded secrets, dependency issues, and OWASP patterns. Use when asked to 'security scan', 'check for secrets', 'audit security', or before major releases."
argument-hint: "[scope] [--secrets-only] [--deps-only] [--full]"
metadata:
author: claudekit
version: "1.0.0"
---
# Security Scan
Lightweight security scanner using Claude's reasoning + shell tools. No external dependencies required.
## Usage
```
/ck:security-scan # Full scan of current project
/ck:security-scan --secrets-only # Only secret/credential detection
/ck:security-scan --deps-only # Only dependency audit
/ck:security-scan src/api/ # Scan specific directory
```
## Scan Categories
| Category | Method | Speed | Reference |
|----------|--------|-------|-----------|
| Secrets | Grep regex patterns | Fast | `references/secret-patterns.md` |
| Dependencies | `npm audit` / `pip audit` | Medium | Built-in |
| Code patterns | Grep + Claude analysis | Medium | `references/vulnerability-patterns.md` |
## Workflow
### 1. Detect Project Type
```
- Check for package.json → Node.js
- Check for requirements.txt / pyproject.toml → Python
- Check for go.mod → Go
- Check for Cargo.toml → Rust
```
### 2. Secret Scanning (Always runs first)
Load `references/secret-patterns.md` for regex patterns.
Use Grep tool to search for each pattern category:
- API keys and tokens (AWS, GitHub, Stripe, etc.)
- Private keys and certificates
- Database connection strings with credentials
- Hardcoded passwords in code
**Exclude**: `.env.example`, test fixtures, documentation, `node_modules/`, `dist/`
For each match:
- Verify it's a real secret (not a placeholder like `YOUR_API_KEY`)
- Rate severity: CRITICAL (exposed prod key), HIGH (real credential), MEDIUM (possible credential)
### 3. Dependency Audit (If applicable)
Run the appropriate command:
```bash
# Node.js
npm audit --json 2>/dev/null || echo '{"error":"npm audit failed"}'
# Python (if pip-audit available)
pip audit --format json 2>/dev/null || echo '{"error":"pip audit unavailable"}'
```
Parse output, categorize by severity (critical/high/moderate/low).
### 4. Code Pattern Analysis
Load `references/vulnerability-patterns.md` for patterns.
Use Grep tool to search for dangerous patterns:
- SQL injection (string concatenation in queries)
- XSS (innerHTML, dangerouslySetInnerHTML without sanitization)
- Command injection (exec/spawn with unsanitized input)
- Path traversal (user input in file paths)
- Insecure randomness (Math.random for security)
- eval() / Function() with dynamic input
For each match:
- Read surrounding code context (5-10 lines)
- Use Claude reasoning to determine if it's a real vulnerability or false positive
- Rate severity and suggest fix
### 5. .env Exposure Check
```bash
# Check if .env files are tracked by git
git ls-files --error-unmatch .env .env.local .env.production 2>/dev/null
# Check .gitignore for .env patterns
grep -n "\.env" .gitignore 2>/dev/null
```
### 6. Generate Report
Output a markdown report directly in chat:
```markdown
# Security Scan Report
**Project:** {name}
**Scanned:** {date}
**Files checked:** {count}
## Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Secrets | X | X | X | - |
| Deps | X | X | X | X |
| Code | X | X | X | - |
## Findings
### CRITICAL
1. **[SECRET]** Hardcoded AWS key in `src/config.js:42`
- Pattern: `AKIA[0-9A-Z]{16}`
- Fix: Move to environment variable
### HIGH
...
## Recommendations
1. ...
```
If `--auto` mode active in cook workflow: save report to `{CK_REPORTS_PATH}` or `plans/reports/security-scan-{date}.md`.
## Scope Declaration
This skill handles: Secret detection, dependency auditing, common vulnerability patterns.
This skill does NOT handle: Penetration testing, runtime security analysis, infrastructure security, compliance audits.
## Security Policy
- NEVER output actual secret values in reports — redact to first 4 + last 2 chars
- NEVER execute secrets or credentials found during scanning
- NEVER modify code automatically — only report findings with fix suggestions
- If a real credential is found, recommend immediate rotation

77
.opencode/skills/security-scan/references/secret-patterns.md Normal file
View File

@@ -0,0 +1,77 @@
# Secret Detection Patterns
Grep patterns for detecting hardcoded secrets. Use with Grep tool, exclude test/example files.
## High Confidence (Structured format, low false positive)
### AWS
```
AKIA[0-9A-Z]{16}
```
### GitHub (Classic + Fine-grained)
```
gh[pousr]_[A-Za-z0-9_]{36,255}
github_pat_[A-Za-z0-9_]{22,}
```
### Stripe
```
sk_live_[0-9a-zA-Z]{24,}
rk_live_[0-9a-zA-Z]{24,}
```
### Slack
```
xox[baprs]-[0-9a-zA-Z-]{10,}
```
### Google Cloud
```
AIza[0-9A-Za-z_-]{35}
```
### Anthropic
```
sk-ant-[A-Za-z0-9_-]{40,}
```
### Private Keys
```
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
```
### JWT / Bearer Tokens (in code, not headers)
```
eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}
```
## Medium Confidence (Need context verification)
### Generic API Keys
```
(?i)(api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9/+=]{16,}['"]
```
### Database URLs
```
(?i)(postgres|mysql|mongodb|redis)://[^:]+:[^@]+@
```
### Passwords in Code
```
(?i)(password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]
```
### Generic Secrets
```
(?i)(secret|token|credential)\s*[:=]\s*['"][A-Za-z0-9/+=]{16,}['"]
```
## Exclusion Patterns
Skip matches in these contexts:
- Files: `*.example`, `*.test.*`, `*.spec.*`, `*.md`, `*.txt`
- Directories: `node_modules/`, `dist/`, `vendor/`, `__pycache__/`
- Content: Lines containing `TODO`, `FIXME`, `YOUR_`, `REPLACE_`, `xxx`, `placeholder`
- Content: Variable declarations without actual values (`= process.env.`, `= os.getenv(`)

105
.opencode/skills/security-scan/references/vulnerability-patterns.md Normal file
View File

@@ -0,0 +1,105 @@
# Vulnerability Code Patterns
Grep patterns for detecting common vulnerability patterns. Use with Grep tool.
## SQL Injection
### String concatenation in queries
```
(?i)(query|sql|execute)\s*\(.*\+.*\)
(?i)(SELECT|INSERT|UPDATE|DELETE|DROP).*['"].*\+
```
### Template literals in queries (JS/TS)
```
(?i)(query|sql|execute)\s*\(`.*\$\{
```
## XSS (Cross-Site Scripting)
### Dangerous DOM manipulation
```
\.innerHTML\s*=
dangerouslySetInnerHTML
document\.write\(
```
### Unescaped output (template engines)
```
\{\{\{ # Handlebars unescaped (triple braces)
<%-\s* # EJS unescaped (vs <%= escaped)
\|safe\b # Jinja2/Django unescaped
v-html= # Vue unescaped
```
## Command Injection
### Unsanitized exec/spawn
```
(?i)(exec|execSync|spawn|spawnSync)\s*\(.*\+
(?i)(exec|execSync|spawn|spawnSync)\s*\(`.*\$\{
(?i)child_process.*\(.*\$\{
os\.system\(.*\+
subprocess\.(call|run|Popen)\(.*\+
```
## Path Traversal
### User input in file paths
```
(?i)(readFile|writeFile|createReadStream|open)\s*\(.*req\.(params|query|body)
(?i)(readFile|writeFile)\s*\(.*\+.*\)
```
## Insecure Randomness
### Math.random for security
```
Math\.random\(\).*(?i)(token|key|secret|password|session|nonce|salt)
```
## Dangerous Functions
### eval and equivalents
```
\beval\s*\(
new\s+Function\s*\(
setTimeout\s*\(\s*['"]
setInterval\s*\(\s*['"]
```
### Deserialization
```
(?i)(pickle\.loads|yaml\.load\(|unserialize\()
JSON\.parse\(.*req\.(params|query|body)
```
## Authentication / Authorization
### Hardcoded credentials
```
(?i)(admin|root|password)\s*[:=]\s*['"][^'"]{4,}['"]
```
### Disabled security
```
(?i)(verify|ssl|tls|certificate)\s*[:=]\s*(false|False|0)
(?i)rejectUnauthorized\s*:\s*false
NODE_TLS_REJECT_UNAUTHORIZED.*0
```
## Information Disclosure
### Debug/verbose in production
```
(?i)console\.(log|debug|trace)\s*\(.*(?:password|secret|token|key|credential)
(?i)(DEBUG|VERBOSE)\s*[:=]\s*(true|True|1)
```
## False Positive Indicators
Skip matches containing:
- `test`, `spec`, `mock`, `fixture`, `example`, `sample`, `demo`
- `TODO`, `FIXME`, `HACK`
- Variable declarations reading from env: `process.env.`, `os.getenv(`
- Comments (lines starting with `//`, `#`, `/*`)