Run any Skill in Manus with one click

Get Started

pentest-code

Code security testing — SAST, SCA, secret detection, container scanning, IaC analysis

Run Skill in Manus

Overview

Code security testing — SAST, SCA, secret detection, container scanning, IaC analysis

Install command

npx skills add https://github.com/TheophilusChinomona/athena-pentest --skill pentest-code

Copy and paste this command into Claude Code to install the skill

Source

TheophilusChinomona/athena-pentest

Stars0

Forks0

UpdatedApril 20, 2026 at 09:56

SKILL.md

readonly

Code Security Testing Skill

Static and software composition analysis for finding vulnerabilities in source code, dependencies, containers, and infrastructure-as-code.

Trigger Conditions

User asks to scan a repo/codebase for security issues
User says "security audit", "code scan", "find vulnerabilities in my code"
Part of a broader security assessment
CI/CD pipeline security check

Prerequisites

Target: path to codebase, git repo URL, or container image
Tools: semgrep, trufflehog, gitleaks, grype, trivy, checkov, bandit, osv-scanner

Phase 1: Secret Detection

1.1 TruffleHog (Deep Scan)

# Scan git repo (full history)
trufflehog git file://{repo_path} --only-verified --json > /tmp/scan/{target}/trufflehog.json

# Scan filesystem
trufflehog filesystem {repo_path} --only-verified --json > /tmp/scan/{target}/trufflehog-fs.json

# Scan specific file types
trufflehog filesystem {repo_path} --include-detectors=aws,gcp,azure,github,gitlab,slack,discord --json

1.2 Gitleaks (Fast Git Scan)

# Scan current state
gitleaks detect --source {repo_path} --report-path /tmp/scan/{target}/gitleaks.json --report-format json

# Scan full git history
gitleaks detect --source {repo_path} --log-opts=--all --report-path /tmp/scan/{target}/gitleaks-history.json --report-format json

# Pre-commit scan
gitleaks protect --source {repo_path} --staged

1.3 Manual Patterns

# Common secret patterns in code
grep -rn --include="*.{js,ts,py,go,yaml,yml,json,env,conf,cfg,ini,toml}" \
  -iE '(api[_-]?key|secret[_-]?key|password|token|aws[_-]?access|private[_-]?key)\s*[:=]\s*["\x27][^\s"'\'']{8,}' \
  {repo_path} > /tmp/scan/{target}/grep-secrets.txt

# .env files
find {repo_path} -name ".env*" -not -path "*/node_modules/*" -not -path "*/.git/*" \
  -exec echo "=== {} ===" \; -exec cat {} \; > /tmp/scan/{target}/env-files.txt

Phase 2: SAST — Static Application Security Testing

2.1 Semgrep (Multi-Language)

# Auto-detect language and scan with default rules
semgrep scan {repo_path} --config auto --json -o /tmp/scan/{target}/semgrep-auto.json

# OWASP Top 10 focused rules
semgrep scan {repo_path} --config "p/owasp-top-ten" --json -o /tmp/scan/{target}/semgrep-owasp.json

# Language-specific rules
semgrep scan {repo_path} --config "p/javascript" --json -o /tmp/scan/{target}/semgrep-js.json
semgrep scan {repo_path} --config "p/python" --json -o /tmp/scan/{target}/semgrep-python.json
semgrep scan {repo_path} --config "p/golang" --json -o /tmp/scan/{target}/semgrep-go.json

# Security-specific rules
semgrep scan {repo_path} --config "p/security-audit" --config "p/secrets" --json -o /tmp/scan/{target}/semgrep-security.json

# Custom rules for project-specific patterns
semgrep scan {repo_path} --config {custom_rules_path} --json

2.2 Bandit (Python-Specific)

bandit -r {repo_path} -f json -o /tmp/scan/{target}/bandit.json --severity-level medium

2.3 ESLint Security (JavaScript/TypeScript)

cd {repo_path}
npx eslint . --ext .js,.jsx,.ts,.tsx --plugin security --format json > /tmp/scan/{target}/eslint-security.json 2>/dev/null

Phase 3: SCA — Software Composition Analysis

3.1 Grype (Universal)

# Scan directory for dependency files
grype dir:{repo_path} -o json > /tmp/scan/{target}/grype.json

# Scan specific ecosystems
grype dir:{repo_path}/package.json -o json
grype dir:{repo_path}/requirements.txt -o json
grype dir:{repo_path}/go.mod -o json
grype dir:{repo_path}/Gemfile -o json

3.2 OSV-Scanner (Google)

osv-scanner --format json -r {repo_path} > /tmp/scan/{target}/osv.json 2>/dev/null

3.3 NPM Audit (Node.js)

cd {repo_path}
npm audit --json > /tmp/scan/{target}/npm-audit.json 2>/dev/null
npm audit --omit=dev --json > /tmp/scan/{target}/npm-audit-prod.json 2>/dev/null

3.4 Pip-Audit (Python)

pip-audit -r {repo_path}/requirements.txt -f json -o /tmp/scan/{target}/pip-audit.json 2>/dev/null || \
pip-audit -f json -o /tmp/scan/{target}/pip-audit.json 2>/dev/null

Phase 4: Container Scanning

4.1 Trivy (Container Image)

# Scan image
trivy image {image_name} --format json -o /tmp/scan/{target}/trivy-image.json

# Scan with severity filter
trivy image {image_name} --severity CRITICAL,HIGH --format json -o /tmp/scan/{target}/trivy-critical.json

# Scan Dockerfile
trivy config {repo_path}/Dockerfile --format json -o /tmp/scan/{target}/trivy-dockerfile.json

4.2 Grype (Container Image)

grype {image_name} -o json > /tmp/scan/{target}/grype-image.json

Phase 5: IaC Scanning

5.1 Checkov (Multi-IaC)

# Auto-detect IaC files
checkov -d {repo_path} --output json --output-file-path /tmp/scan/{target}/checkov.json

# Docker-specific
checkov -f {repo_path}/docker-compose.yml --output json --output-file-path /tmp/scan/{target}/checkov-docker.json
checkov -f {repo_path}/Dockerfile --output json --output-file-path /tmp/scan/{target}/checkov-dockerfile.json

# Terraform-specific
checkov -d {repo_path}/terraform/ --output json --output-file-path /tmp/scan/{target}/checkov-tf.json

# Kubernetes-specific
checkov -d {repo_path}/k8s/ --output json --output-file-path /tmp/scan/{target}/checkov-k8s.json

5.2 Trivy (IaC)

trivy config {repo_path} --format json -o /tmp/scan/{target}/trivy-iac.json

Phase 6: License Compliance

# NPM licenses
cd {repo_path}
license-checker --json --out /tmp/scan/{target}/npm-licenses.json 2>/dev/null

# Python licenses
pip-licenses --format=json --with-urls > /tmp/scan/{target}/pip-licenses.json 2>/dev/null

Phase 7: Results Aggregation

Compile all findings into a unified report:

# Merge all JSON results
jq -s '{ 
  secrets: (.[0] // {}),
  sast: (.[1] // {}),
  dependencies: (.[2] // {}),
  container: (.[3] // {}),
  iac: (.[4] // {})
}' /tmp/scan/{target}/trufflehog.json \
   /tmp/scan/{target}/semgrep-auto.json \
   /tmp/scan/{target}/grype.json \
   /tmp/scan/{target}/trivy-image.json \
   /tmp/scan/{target}/checkov.json \
   > /tmp/scan/{target}/combined-findings.json

Severity Classification

Severity	Criteria
Critical	Hardcoded production secrets, RCE vulnerabilities, known exploited CVEs in dependencies
High	SQL injection patterns, auth bypass, vulnerable dependencies with known exploits
Medium	Missing input validation, weak crypto, outdated dependencies with theoretical CVEs
Low	Code quality issues, missing headers, verbose errors
Info	Best practices, license warnings, non-critical findings

Report Template

# Code Security Audit: {repo_name}
## Date: {date}

### Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Secrets | {n} | | | |
| SAST | | {n} | {n} | |
| Dependencies | | {n} | {n} | |
| Container | | {n} | {n} | |
| IaC | | {n} | {n} | |

### Critical Findings
1. **{title}** — {file}:{line}
   - Category: {secret/sast/sca}
   - Description: {detail}
   - Remediation: {fix}

### Detailed Findings
...

Output Structure

/tmp/scan/{target}/
├── trufflehog.json
├── gitleaks.json
├── grep-secrets.txt
├── semgrep-auto.json
├── semgrep-owasp.json
├── bandit.json
├── grype.json
├── osv.json
├── npm-audit.json
├── pip-audit.json
├── trivy-image.json
├── trivy-iac.json
├── checkov.json
├── npm-licenses.json
├── combined-findings.json
└── code-audit-report.md

Safety

Secrets found should be reported and rotated immediately
Never commit real secrets to the scan results
Share findings only with authorized parties
Redact sensitive values in reports

name	pentest-code
description	Code security testing — SAST, SCA, secret detection, container scanning, IaC analysis

pentest-code

More from this repository

More from this repository

Code Security Testing Skill

Trigger Conditions

Prerequisites

Phase 1: Secret Detection

1.1 TruffleHog (Deep Scan)

1.2 Gitleaks (Fast Git Scan)

1.3 Manual Patterns

Phase 2: SAST — Static Application Security Testing

2.1 Semgrep (Multi-Language)

2.2 Bandit (Python-Specific)

2.3 ESLint Security (JavaScript/TypeScript)

Phase 3: SCA — Software Composition Analysis

3.1 Grype (Universal)

3.2 OSV-Scanner (Google)

3.3 NPM Audit (Node.js)

3.4 Pip-Audit (Python)

Phase 4: Container Scanning

4.1 Trivy (Container Image)

4.2 Grype (Container Image)

Phase 5: IaC Scanning

5.1 Checkov (Multi-IaC)

5.2 Trivy (IaC)

Phase 6: License Compliance

Phase 7: Results Aggregation

Severity Classification

Report Template

Output Structure

Safety

Code Security Testing Skill

Trigger Conditions

Prerequisites

Phase 1: Secret Detection

1.1 TruffleHog (Deep Scan)

1.2 Gitleaks (Fast Git Scan)

1.3 Manual Patterns

Phase 2: SAST — Static Application Security Testing

2.1 Semgrep (Multi-Language)

2.2 Bandit (Python-Specific)

2.3 ESLint Security (JavaScript/TypeScript)

Phase 3: SCA — Software Composition Analysis

3.1 Grype (Universal)

3.2 OSV-Scanner (Google)

3.3 NPM Audit (Node.js)

3.4 Pip-Audit (Python)

Phase 4: Container Scanning

4.1 Trivy (Container Image)

4.2 Grype (Container Image)

Phase 5: IaC Scanning

5.1 Checkov (Multi-IaC)

5.2 Trivy (IaC)

Phase 6: License Compliance

Phase 7: Results Aggregation

Severity Classification

Report Template

Output Structure

Safety