Vibe Index
🎯

vulnerability-scanner

🎯Skill

from sickn33/antigravity-awesome-skills

VibeIndex|
AI Summary

Scans and analyzes software vulnerabilities using OWASP principles, mapping attack surfaces and prioritizing risks across project dependencies and infrastructure.

vulnerability-scanner

Installation

Install skill:
npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill vulnerability-scanner
Stars3,663
Last UpdatedJan 26, 2026
View on GitHubBack to Skills

Skill Details

SKILL.md

Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.

Overview

# Vulnerability Scanner

> Think like an attacker, defend like an expert. 2025 threat landscape awareness.

πŸ”§ Runtime Scripts

Execute for automated validation:

| Script | Purpose | Usage |

|--------|---------|-------|

| scripts/security_scan.py | Validate security principles applied | python scripts/security_scan.py |

πŸ“‹ Reference Files

| File | Purpose |

|------|---------|

| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |

---

1. Security Expert Mindset

Core Principles

| Principle | Application |

|-----------|-------------|

| Assume Breach | Design as if attacker already inside |

| Zero Trust | Never trust, always verify |

| Defense in Depth | Multiple layers, no single point |

| Least Privilege | Minimum required access only |

| Fail Secure | On error, deny access |

Threat Modeling Questions

Before scanning, ask:

  1. What are we protecting? (Assets)
  2. Who would attack? (Threat actors)
  3. How would they attack? (Attack vectors)
  4. What's the impact? (Business risk)

---

2. OWASP Top 10:2025

Risk Categories

| Rank | Category | Think About |

|------|----------|-------------|

| A01 | Broken Access Control | Who can access what? IDOR, SSRF |

| A02 | Security Misconfiguration | Defaults, headers, exposed services |

| A03 | Software Supply Chain πŸ†• | Dependencies, CI/CD, build integrity |

| A04 | Cryptographic Failures | Weak crypto, exposed secrets |

| A05 | Injection | User input β†’ system commands |

| A06 | Insecure Design | Flawed architecture |

| A07 | Authentication Failures | Session, credential management |

| A08 | Integrity Failures | Unsigned updates, tampered data |

| A09 | Logging & Alerting | Blind spots, no monitoring |

| A10 | Exceptional Conditions πŸ†• | Error handling, fail-open states |

2025 Key Changes

```

2021 β†’ 2025 Shifts:

β”œβ”€β”€ SSRF merged into A01 (Access Control)

β”œβ”€β”€ A02 elevated (Cloud/Container configs)

β”œβ”€β”€ A03 NEW: Supply Chain (major focus)

β”œβ”€β”€ A10 NEW: Exceptional Conditions

└── Focus shift: Root causes > Symptoms

```

---

3. Supply Chain Security (A03)

Attack Surface

| Vector | Risk | Question to Ask |

|--------|------|-----------------|

| Dependencies | Malicious packages | Do we audit new deps? |

| Lock files | Integrity attacks | Are they committed? |

| Build pipeline | CI/CD compromise | Who can modify? |

| Registry | Typosquatting | Verified sources? |

Defense Principles

  • Verify package integrity (checksums)
  • Pin versions, audit updates
  • Use private registries for critical deps
  • Sign and verify artifacts

---

4. Attack Surface Mapping

What to Map

| Category | Elements |

|----------|----------|

| Entry Points | APIs, forms, file uploads |

| Data Flows | Input β†’ Process β†’ Output |

| Trust Boundaries | Where auth/authz checked |

| Assets | Secrets, PII, business data |

Prioritization Matrix

```

Risk = Likelihood Γ— Impact

High Impact + High Likelihood β†’ CRITICAL

High Impact + Low Likelihood β†’ HIGH

Low Impact + High Likelihood β†’ MEDIUM

Low Impact + Low Likelihood β†’ LOW

```

---

5. Risk Prioritization

CVSS + Context

| Factor | Weight | Question |

|--------|--------|----------|

| CVSS Score | Base severity | How severe is the vuln? |

| EPSS Score | Exploit likelihood | Is it being exploited? |

| Asset Value | Business context | What's at risk? |

| Exposure | Attack surface | Internet-facing? |

Prioritization Decision Tree

```

Is it actively exploited (EPSS >0.5)?

β”œβ”€β”€ YES β†’ CRITICAL: Immediate action

└── NO β†’ Check CVSS

β”œβ”€β”€ CVSS β‰₯9.0 β†’ HIGH

β”œβ”€β”€ CVSS 7.0-8.9 β†’ Consider asset value

└── CVSS <7.0 β†’ Schedule for later

```

---

6. Exceptional Conditions (A10 - New)

Fail-Open vs Fail-Closed

| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |

|----------|-----------------|---------------------|

| Auth error | Allow access | Deny access |

| Parsing fails | Accept input | Reject input |

| Timeout | Retry forever | Limit + abort |

What to Check

  • Exception handlers that catch-all and ignore
  • Missing error handling on security operations
  • Race conditions in auth/authz
  • Resource exhaustion scenarios

---

7. Scanning Methodology

Phase-Based Approach

```

  1. RECONNAISSANCE

└── Understand the target

β”œβ”€β”€ Technology stack

β”œβ”€β”€ Entry points

└── Data flows

  1. DISCOVERY

└── Identify potential issues

β”œβ”€β”€ Configuration review

β”œβ”€β”€ Dependency analysis

└── Code pattern search

  1. ANALYSIS

└── Validate and prioritize

β”œβ”€β”€ False positive elimination

β”œβ”€β”€ Risk scoring

└── Attack chain mapping

  1. REPORTING

└── Actionable findings

β”œβ”€β”€ Clear reproduction steps

β”œβ”€β”€ Business impact

└── Remediation guidance

```

---

8. Code Pattern Analysis

High-Risk Patterns

| Pattern | Risk | Look For |

|---------|------|----------|

| String concat in queries | Injection | "SELECT * FROM " + user_input |

| Dynamic code execution | RCE | eval(), exec(), Function() |

| Unsafe deserialization | RCE | pickle.loads(), unserialize() |

| Path manipulation | Traversal | User input in file paths |

| Disabled security | Various | verify=False, --insecure |

Secret Patterns

| Type | Indicators |

|------|-----------|

| API Keys | api_key, apikey, high entropy |

| Tokens | token, bearer, jwt |

| Credentials | password, secret, key |

| Cloud | AWS_, AZURE_, GCP_ prefixes |

---

9. Cloud Security Considerations

Shared Responsibility

| Layer | You Own | Provider Owns |

|-------|---------|---------------|

| Data | βœ… | ❌ |

| Application | βœ… | ❌ |

| OS/Runtime | Depends | Depends |

| Infrastructure | ❌ | βœ… |

Cloud-Specific Checks

  • IAM: Least privilege applied?
  • Storage: Public buckets?
  • Network: Security groups tightened?
  • Secrets: Using secrets manager?

---

10. Anti-Patterns

| ❌ Don't | βœ… Do |

|----------|-------|

| Scan without understanding | Map attack surface first |

| Alert on every CVE | Prioritize by exploitability + asset |

| Ignore false positives | Maintain verified baseline |

| Fix symptoms only | Address root causes |

| Scan once before deploy | Continuous scanning |

| Trust third-party deps blindly | Verify integrity, audit code |

---

11. Reporting Principles

Finding Structure

Each finding should answer:

  1. What? - Clear vulnerability description
  2. Where? - Exact location (file, line, endpoint)
  3. Why? - Root cause explanation
  4. Impact? - Business consequence
  5. How to fix? - Specific remediation

Severity Classification

| Severity | Criteria |

|----------|----------|

| Critical | RCE, auth bypass, mass data exposure |

| High | Data exposure, privilege escalation |

| Medium | Limited scope, requires conditions |

| Low | Informational, best practice |

---

> Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"