security-scanning

# Security Scanning

Automate vulnerability detection in code and dependencies.

## Dependency Scanning

### JavaScript (npm)

```bash
# Run audit
npm audit --json > security-audit.json

# Check severity counts
CRITICAL=$(npm audit --json | jq '.metadata.vulnerabilities.critical')
HIGH=$(npm audit --json | jq '.metadata.vulnerabilities.high')

if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
  echo "🚨 $CRITICAL critical, $HIGH high vulnerabilities"
fi

# Auto-fix
npm audit fix
```

### Python (pip-audit)

```bash
pip-audit --format=json > security-audit.json

# Using safety
safety check --json > security-audit.json
```

## Static Analysis (SAST)

### Semgrep

```bash
# Run with security rules
semgrep --config=auto --json > semgrep-results.json

# Count findings
CRITICAL=$(cat semgrep-results.json | jq '[.results[] | select(.extra.severity == "ERROR")] | length')
```

### Bandit (Python)

```bash
bandit -r . -f json -o bandit-report.json

HIGH=$(cat bandit-report.json | jq '[.results[] | select(.issue_severity == "HIGH")] | length')
```

## Secret Detection

```bash
# TruffleHog
trufflehog git file://. --json > secrets-scan.json

# Gitleaks
gitleaks detect --source . --report-format json

# Check results
SECRET_COUNT=$(cat secrets-scan.json | jq '. | length')
if [ "$SECRET_COUNT" -gt 0 ]; then
  echo "🚨 $SECRET_COUNT secrets detected!"
fi
```

## Container Scanning

```bash
# Trivy
trivy image myapp:latest --format json > trivy-scan.json

CRITICAL=$(cat trivy-scan.json | jq '[.Results[].Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length')
```

## Pre-commit Hooks (2026 Best Practice)

Shift-left security by catching issues before commit:

```yaml
# .pre-commit-config.yaml
repos:
  # Secret detection - MUST HAVE
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

  # Python security
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.7
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml",