Stats
Actions
Tags
From nexus-agents
Triages, fixes, and resolves security scanning alerts from CodeQL and secret scanning. Applies common vulnerability patches and secret rotation procedures.
How this skill is triggered — by the user, by Claude, or both
Slash command
/nexus-agents:security-scanningThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
<!--
Run when ANY occur:
# Check CodeQL alerts (open only)
gh api repos/{owner}/{repo}/code-scanning/alerts \
--jq '[.[] | select(.state == "open")] | length'
# Check secret scanning alerts
gh api repos/{owner}/{repo}/secret-scanning/alerts \
--jq '[.[] | select(.state == "open")] | length'
Categorize by severity: critical > high > medium > low.
Priority order for CodeQL alert categories:
| Category | Fix Pattern |
|---|---|
js/shell-command-constructed-from-input | Use execFile() or validate inputs |
js/insecure-randomness | Replace Math.random() with crypto.randomInt() |
js/biased-cryptographic-random | Use crypto.randomInt() or rejection sampling |
js/polynomial-redos | Bound quantifiers, use [ \t]* not \s* |
js/incomplete-sanitization | Single-quote shell escaping |
js/incomplete-multi-character-sanitization | Loop-based stripping for unclosed tags |
js/missing-rate-limiting | Add rate limiter middleware |
js/incomplete-url-scheme-check | Zod .refine() for HTTP/HTTPS only |
For each alert:
For each secret scanning alert:
src/testing/test-secrets.ts, dismiss as used_in_testsNever commit secrets to resolve alerts — use environment variables.
All fake secrets in test code MUST be obviously fake:
src/testing/test-secrets.ts (canonical constants: FAKE_OPENAI_KEY, FAKE_GOOGLE_KEY, etc.).rules/test-secrets.md for the full policyWhy: GitHub secret scanning scans ALL committed blobs (including history) and has NO allowlist config. Gitleaks path exclusions don't help server-side. Values must be self-evidently fake.
Create or update a tracking issue with findings:
gh issue create --title "security: scanning alert review $(TZ='America/New_York' date '+%Y-%m-%d')" \
--label "security" --body "## Alert Summary\n\n[counts and categories]\n\n## Actions Taken\n\n[fixes applied]"
The system-review skill should include security scanning as Phase 4.5:
Phase 4: Security Audit (npm audit)
Phase 4.5: Code Scanning Review (CodeQL + secret scanning)
Phase 5: Code Quality
Max 5 auto-fixes per session. Beyond that, create issues for tracking.
When triaging an alert or designing a fix, classify the affected surface against this table. The classification determines what action is allowed without escalation. Cross-reference with .rules/untrusted-input.md Tier 1-4 trust system.
httpOnly, secure, sameSite=lax cookies for sessionsnpm audit (or pnpm audit) before every release — block critical/highvendor_publishing_audit MCP tool covers signing infra).env/.pem/.keyeval() or innerHTML=userInput — full stop.rules/untrusted-input.md "comments are hostile by default")| Excuse | Counter |
|---|---|
| "It's an internal tool, the threat model is lower" | Internal tools become external (acquisitions, partners, leaks). Apply the same boundary discipline. |
| "We'll add validation when we have real users" | The first real user is the attacker. Validation gates ship in the same PR as the input. |
| "The library handles it" | Verify. Library defaults differ from our needs (e.g., default cookie SameSite, default CORS). |
| "I'll fix the audit warning later" | "Later" + "high-severity advisory" = breach. Audit before merge; downgrade severity only with documented mitigation. |
| "We trust this third-party API" | Third-party responses are untrusted data per .rules/untrusted-input.md. Validate shape AND content. |
| "It's a developer-only path" | Privilege boundaries blur. Developer paths get exposed (debug builds shipped, dev creds reused). Lock them down at design time. |
pnpm audit cross-checksrc/testing/test-secrets.ts (per .rules/test-secrets.md)used_in_testsnpx claudepluginhub nexus-substrate/nexus-agentsThis skill should be used when the user asks to "triage security findings", "fix a Checkmarx finding", "review SonarCloud results", "dismiss a false positive", "check code scanning alerts", or needs to work with GitHub Advanced Security alerts, scanner annotations on PRs, or Grype vulnerability results.
Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Runs hand-curated security sweep on git repos detecting leaked secrets, SQL/shell injections, XSS sinks, path traversal, deserialization risks, missing cookie flags, wildcard CORS, tracked credentials. Triages findings as real/false-positive.