scan_security
Scan project files for OWASP Top-10 security vulnerabilities using pattern matching. Returns findings with severity, CWE, and file location.
Instructions
Scan project files for OWASP Top-10 security vulnerabilities using pattern matching. Detects SQL injection (CWE-89), XSS (CWE-79), command injection (CWE-78), path traversal (CWE-22), hardcoded secrets (CWE-798), insecure crypto (CWE-327), open redirects (CWE-601), and SSRF (CWE-918). Skips test files. Use for pattern-based security audit. For data-flow-aware analysis use taint_analysis instead. Read-only. Returns JSON: { findings: [{ rule, severity, cwe, file, line, message }], total, summary }.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| rules | Yes | Rules to apply (use ["all"] for full scan) | |
| scope | Yes | Directory to scan (default: whole project) | |
| output_format | No | Output format. "json" (default) returns the native finding shape; "sarif" emits a SARIF 2.1.0 log for GitHub/GitLab/Azure code-scanning ingestion. | |
| severity_threshold | No | Minimum severity to report (default: low) |