scan_security_issues
Scan code files to identify security issues like exposed secrets, vulnerabilities, and insecure coding patterns.
Instructions
Scan code for security issues including secrets, vulnerabilities, and insecure patterns
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| files | Yes | File paths to scan |
Implementation Reference
- src/tools/code-analysis.ts:6-20 (registration)Registers the 'scan_security_issues' tool with name, description, and input schema requiring an array of file paths.{ name: 'scan_security_issues', description: 'Scan code for security issues including secrets, vulnerabilities, and insecure patterns', inputSchema: { type: 'object', properties: { files: { type: 'array', items: { type: 'string' }, description: 'File paths to scan', }, }, required: ['files'], }, },
- src/tools/code-analysis.ts:9-19 (schema)Input schema for the tool: object with 'files' array of strings.inputSchema: { type: 'object', properties: { files: { type: 'array', items: { type: 'string' }, description: 'File paths to scan', }, }, required: ['files'], },
- src/tools/code-analysis.ts:79-91 (handler)Tool handler case: reads files using FileReader, scans with SecurityAnalyzer.scanSecurityIssues, returns aggregated issue counts and full list.case 'scan_security_issues': { const files = params.files as string[]; const codeFiles = await FileReader.readFiles(files.join(',')); const issues = await securityAnalyzer.scanSecurityIssues(codeFiles); return { total: issues.length, critical: issues.filter((i) => i.severity === 'critical').length, high: issues.filter((i) => i.severity === 'high').length, medium: issues.filter((i) => i.severity === 'medium').length, low: issues.filter((i) => i.severity === 'low').length, issues, }; }
- src/analyzers/security-analyzer.ts:8-25 (handler)Core handler implementation: orchestrates scanning of code files by calling helper methods for secrets, weak auth, and permission issues.async scanSecurityIssues(files: CodeFile[] | string[]): Promise<SecurityIssue[]> { const codeFiles = await this.getCodeFiles(files); const issues: SecurityIssue[] = []; for (const file of codeFiles) { // Detect hardcoded secrets issues.push(...this.detectSecrets(file)); // Detect weak authentication issues.push(...this.detectWeakAuth(file)); // Detect insecure dependencies (would check package.json in real implementation) // Detect permission issues issues.push(...this.detectPermissionIssues(file)); } return issues; }
- Helper method to detect hardcoded secrets using regex patterns for passwords, API keys, etc.private detectSecrets(file: CodeFile): SecurityIssue[] { const issues: SecurityIssue[] = []; const lines = file.content.split('\n'); // Common secret patterns const secretPatterns = [ { pattern: /(?:password|passwd|pwd)\s*[=:]\s*["']([^"']+)["']/gi, type: 'password' as const, severity: 'critical' as const, }, { pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*["']([^"']+)["']/gi, type: 'api_key' as const, severity: 'critical' as const, }, { pattern: /(?:secret|token)\s*[=:]\s*["']([^"']+)["']/gi, type: 'secret' as const, severity: 'high' as const, }, { pattern: /(?:aws[_-]?access[_-]?key|aws[_-]?secret)\s*[=:]\s*["']([^"']+)["']/gi, type: 'aws_credentials' as const, severity: 'critical' as const, }, { pattern: /(?:private[_-]?key|ssh[_-]?key)\s*[=:]\s*["']([^"']+)["']/gi, type: 'private_key' as const, severity: 'critical' as const, }, ]; for (let i = 0; i < lines.length; i++) { const line = lines[i]; for (const { pattern, type, severity } of secretPatterns) { if (pattern.test(line)) { issues.push({ type: 'secret', severity, location: `${file.path}:${i + 1}`, description: `Potential hardcoded ${type} detected`, recommendation: 'Move secrets to environment variables or secure configuration', detectedAt: new Date(), }); } } } return issues; }