testing-security

Purpose

This skill automates security testing by integrating DAST tools (OWASP ZAP, Nuclei), SAST tools (Semgrep, Bandit), SCA tools (Snyk, Trivy), and secrets scanners (detect-secrets, TruffleHog) to identify vulnerabilities in code, applications, and secrets.

When to Use

Use this skill during CI/CD pipelines, before deployments, or for periodic audits; ideal for projects with web apps, APIs, or codebases in languages like Python, Java, or JavaScript where security flaws could lead to breaches.

Key Capabilities

• DAST: Run OWASP ZAP for active scanning of web apps, detecting issues like XSS or SQLi; use Nuclei for custom vulnerability templates.
• SAST: Execute Semgrep for pattern-based code analysis (e.g., YAML rulesets) or Bandit for Python-specific flaws like insecure imports.
• SCA: Leverage Snyk to scan dependencies for known CVEs via SBOM analysis; use Trivy for container image scanning with vulnerability databases.
• Secrets Detection: Apply detect-secrets to scan files for patterns like API keys; use TruffleHog for Git history scans to find exposed secrets.
• Integration: Combine tools in a single workflow, e.g., run SAST on code changes and DAST on staging environments.

Usage Patterns

Always configure tools via environment variables for authentication (e.g., $ZAP_API_KEY for OWASP ZAP, $SNYK_TOKEN for Snyk). Start with a baseline scan on new projects, then automate in scripts.