security-scanner

# Security Scanner Skill

Comprehensive security analysis for codebases.

## Invocation
This skill is invoked by `/siftcoder:security` or when security analysis is needed.

## Capabilities

### 1. Secret Detection

Detect leaked secrets using pattern matching:

**Supported Providers (50+):**

| Category | Patterns |
|----------|----------|
| AWS | Access Key ID, Secret Access Key, Session Token |
| GCP | Service Account Key, API Key |
| Azure | Storage Key, Connection String, SAS Token |
| GitHub | Personal Access Token, OAuth Token |
| Stripe | Secret Key, Publishable Key, Webhook Secret |
| Twilio | Account SID, Auth Token |
| SendGrid | API Key |
| Slack | Bot Token, Webhook URL |
| Discord | Bot Token, Webhook |
| Database | PostgreSQL, MySQL, MongoDB, Redis URLs |
| Generic | API keys, passwords, tokens, private keys |

**Detection Process:**
```
1. Load secret patterns (regex + entropy)
2. Scan all text files (exclude binaries, node_modules, etc.)
3. For each match:
   a. Verify it's not a false positive (test keys, examples)
   b. Calculate entropy (high entropy = more likely real)
   c. Check if in .gitignore (still report but lower priority)
   d. Extract context (surrounding code)
4. Deduplicate findings
5. Sort by severity
```

**False Positive Reduction:**
- Skip files in .gitignore
- Detect test/example patterns (AKIAEXAMPLE, test_key, etc.)
- Check for placeholder patterns (YOUR_KEY_HERE, xxx, etc.)
- Entropy analysis (random strings vs. readable text)

---

### 2. Dependency Vulnerability Scanning

**Supported Package Managers:**

| Manager | Lock File | Database |
|---------|-----------|----------|
| npm | package-lock.json | npm audit / OSV |
| yarn | yarn.lock | yarn audit / OSV |
| pnpm | pnpm-lock.yaml | pnpm audit / OSV |
| pip | requirements.txt, Pipfile.lock | pip-audit / OSV |
| poetry | poetry.lock | pip-audit / OSV |
| go | go.sum | govulncheck / OSV |
| cargo | Cargo.lock | cargo-audit / OSV |
| composer | composer.lock | Symfony checker |