| name | security-scan |
| description | Security vulnerability scan using the Security Vulnerability Scanner agent workflow. Use when the user says security scan, check for vulnerabilities, security audit, is this secure, OWASP check, or before deploying to production. |
Context
- Current branch: !
git branch --show-current
- Recently modified files: !
git diff --name-only HEAD~5
Your Task
Run a security vulnerability scan on the following:
Target: $ARGUMENTS
If no target is specified, scan recently modified files and critical paths (auth, API endpoints, data handling).
Scan Categories
Systematically analyze for:
- Injection — SQL, NoSQL, command, LDAP, XPath
- Authentication & Session — Weak auth, session fixation, token handling
- XSS — Reflected, stored, DOM-based
- IDOR — Insecure direct object references
- Security Misconfiguration — Default configs, unnecessary features, verbose errors
- Sensitive Data Exposure — Unencrypted data, leaked secrets, excessive logging
- Access Control — Missing authorization, privilege escalation
- CSRF — Cross-site request forgery
- Known Vulnerabilities — Dependencies with CVEs
- Logging & Monitoring — Insufficient audit trails
- Race Conditions — TOCTOU, concurrent access issues
- Cryptographic Weaknesses — Weak algorithms, improper key management
- Path Traversal — File system access control
- Deserialization — Unsafe object deserialization
- SSRF — Server-side request forgery
Output Format
## Security Scan Results
**Scan scope:** [what was scanned]
**Date:** [current date]
### Critical
- [Vulnerability] — `file:line` — [brief description]
### High
- [Vulnerability] — `file:line` — [brief description]
### Medium
- [Vulnerability] — `file:line` — [brief description]
### Low
- [Vulnerability] — `file:line` — [brief description]
---
**Summary:** X critical, X high, X medium, X low issues found.
**Recommendation:** [BLOCK DEPLOY | FIX BEFORE DEPLOY | ACCEPTABLE RISK | CLEAN]
Only report actual vulnerabilities, not theoretical concerns. Be specific about location and exploitability. Omit empty severity categories.