with one click
sc-recon
Codebase discovery and architecture mapping for security analysis
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Codebase discovery and architecture mapping for security analysis
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-recon |
| description | Codebase discovery and architecture mapping for security analysis |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
The reconnaissance skill is the foundation of the entire security-check pipeline. It maps the codebase architecture, identifies all technologies in use, traces data flow paths, and catalogs entry points and trust boundaries. Its output determines which subsequent skills are activated and provides critical context for accurate vulnerability detection.
First skill executed in Phase 1 of the pipeline. Runs before all other skills.
File: security-report/architecture.md
Identify all technologies by examining:
Languages:
.go, .ts, .tsx, .js, .jsx, .py, .php, .rs, .java, .kt, .cs, .rb, .swift, .c, .cppFrameworks:
gin, echo, fiber, chi, gorilla/mux, net/http in importspackage.json for react, next, express, fastify, nestjs, vue, angular, svelterequirements.txt/pyproject.toml for django, flask, fastapi, tornado, starlettecomposer.json for laravel/framework, symfony, wordpressCargo.toml for actix-web, axum, rocket, warp, tokiopom.xml/build.gradle for spring-boot, quarkus, micronaut, jakarta.csproj for Microsoft.AspNetCore, Blazor, MAUIBuild Tools & Package Managers:
package.json / pnpm-workspace.yaml / turbo.json → Node.js ecosystemgo.mod / go.sum → Go modulesCargo.toml / Cargo.lock → Rust/Cargorequirements.txt / pyproject.toml / Pipfile / poetry.lock → Pythoncomposer.json / composer.lock → PHP/Composerpom.xml / build.gradle / build.gradle.kts → Java/Maven/Gradle*.csproj / *.sln / nuget.config → .NETDatabases:
Determine the application type based on detected patterns:
| Type | Indicators |
|---|---|
| Web Application | HTML templates, static assets, frontend framework, server-side rendering |
| REST API | Route definitions, JSON response handlers, OpenAPI/Swagger spec |
| GraphQL API | Schema definitions (.graphql), resolvers, Apollo/Yoga config |
| gRPC Service | .proto files, gRPC server setup |
| CLI Tool | Argument parsers (cobra, click, yargs), main entry without HTTP server |
| Library/Package | Public API exports, no main entry, published package config |
| Microservice | Small scope, message queue consumers, service mesh config |
| Monolith | Large codebase, multiple domains, shared database |
| Serverless | Lambda handlers, serverless.yml, CloudFormation templates |
| Desktop App | Electron, Tauri, .NET MAUI, WPF references |
Catalog all entry points where external input enters the system:
HTTP Routes:
CLI Commands:
Message Consumers:
Scheduled Tasks:
WebSocket Endpoints:
File Watchers / Event Handlers:
Trace the path of user input through the system:
Source identification — where external data enters:
Processing identification — how data is transformed:
Sink identification — where data is consumed in security-sensitive operations:
Identify security control points:
Authentication:
Rate Limiting:
Input Validation:
CSRF Protection:
CORS Configuration:
Map all external service connections:
Determine the authentication model:
| Pattern | Indicators |
|---|---|
| Session-based | Session middleware, cookie config, session store |
| JWT | JWT library imports, token sign/verify calls |
| OAuth 2.0 | OAuth provider config, callback handlers, token exchange |
| API Key | Header/query param key extraction, key validation |
| mTLS | Certificate loading, TLS client auth config |
| Basic Auth | Base64 credential parsing, WWW-Authenticate header |
| SSO/SAML | SAML assertion processing, IdP configuration |
Document:
Identify security-sensitive files and paths:
Configuration files:
.env, .env.production, .env.localconfig.json, config.yaml, settings.py, application.propertiesappsettings.json, web.configSensitive paths:
/admin, /debug, /metrics, /health/.git, /.env, /backup/swagger, /graphql, /api-docs)Deployment files:
Dockerfile, docker-compose.ymlkubernetes/, k8s/, helm/terraform/, *.tf.github/workflows/, .gitlab-ci.ymlCatalog existing security measures:
Produce a definitive list of detected languages that determines which sc-lang-* skills run in Phase 2:
## Detected Languages
- Go (45% of codebase) → activates sc-lang-go
- TypeScript (35% of codebase) → activates sc-lang-typescript
- Python (20% of codebase, scripts/tools only) → activates sc-lang-python
The output file security-report/architecture.md must contain all 10 sections above with concrete findings specific to the scanned codebase. Each section should include file paths and line references where applicable.