Skip to content

/vt-c-security-scan

Run focused security audit on codebase or specific files

Plugin: core-standards
Usage: /vt-c-security-scan [--scope staged|all|path] [--severity critical|all]

Security Scan

Run comprehensive security analysis using the security-sentinel agent.

What This Scans

OWASP API Security Top 10

  • Broken Object Level Authorization
  • Broken Authentication
  • Broken Object Property Level Authorization
  • Unrestricted Resource Consumption
  • Broken Function Level Authorization
  • Server-Side Request Forgery
  • Security Misconfiguration
  • Lack of Protection from Automated Threats
  • Improper Asset Management
  • Unsafe Consumption of APIs

Additional Checks

  • SQL Injection patterns
  • XSS vulnerabilities
  • Hardcoded secrets and credentials
  • Insecure dependencies (npm audit)
  • Missing input validation
  • Improper error handling (information disclosure)

Usage

# Scan staged changes
/vt-c-security-scan

# Scan entire codebase
/vt-c-security-scan --scope all

# Scan specific path
/vt-c-security-scan --scope src/api/

# Only show critical findings
/vt-c-security-scan --severity critical

Output Format

## Security Scan Results

### 🔴 Critical (1 finding)
1. **SQL Injection Risk**
   - File: src/api/users.ts:42
   - Pattern: Raw query with user input
   - Fix: Use parameterized queries

### 🟡 High (2 findings)
...

### 🟠 Medium (3 findings)
...

### Dependencies
- npm audit: 2 vulnerabilities found
- Run: npm audit fix

Configuration Security Audit

In addition to code-level scanning, /vt-c-security-scan audits Claude Code configuration files against the security baseline (configs/security/baseline-settings.json).

What This Audits

  1. Deny Rule Coverage — Compares settings files against the 11 baseline categories (expanded in SPEC-114):
  2. Network exfiltration (curl, wget, nc, ncat, netcat, WebFetch)
  3. Credential file access (~/.ssh, ~/.aws, .env variants, secrets/, credentials.*, Grep/Glob mirrors)
  4. Destructive commands (rm -rf, sudo, mkfs, dd, chmod 777)
  5. Shell config modification (~/.bashrc, ~/.zshrc, ~/.profile)
  6. Untrusted package execution (npx -y, pip install --index-url, npm publish, .npmrc/.pypirc)
  7. Git safety (git push --force, reset --hard, clean -f) — NEW
  8. Code execution (python -c, node -e, perl -e) — NEW
  9. Database destructive (DROP DATABASE, ORM destructive) — NEW
  10. Infrastructure (terraform destroy, kubectl delete namespace) — NEW
  11. Self-modification protection (~/.claude/settings.json, global CLAUDE.md) — NEW

  12. Agent governance (--dangerously-skip-permissions, crontab) — NEW

  13. MCP Server Configuration — Inventories MCP server settings:

  14. Flags enableAllProjectMcpServers: true as a security warning
  15. Reports explicitly whitelisted servers (allowedMcpServers, enabledMcpjsonServers)

  16. Counts total configured MCP servers

  17. Hook Inventory — Lists all hook definitions with trust assessment:

  18. Hooks in configs/user-global/settings.json — compared against approved set in configs/security/SECURITY-CONFIG.md

  19. Hooks in .claude/settings.json (project-level) — flagged if unexpected

  20. Env Secret Detection — Scans "env" values in settings for secret patterns:

  21. Prefix patterns: sk-, ghp_, ghs_, AKIA, Bearer
  22. Key name patterns: *_KEY, *_SECRET, *_TOKEN, *_PASSWORD

Settings Files Checked

File Scope
.claude/settings.json Project-level settings
configs/user-global/settings.json User-level template (toolkit-managed)
configs/user-global/settings.local.json Local overrides (not committed)

Note: managed-settings.json (OS-level) cannot be read from within a session. See configs/security/SECURITY-CONFIG.md for a manual audit checklist.

Configuration Security Output Format

Configuration Security
──────────────────────────────────────────
  Deny Rules:     9/11 categories covered
    Missing: Database Destructive, Infrastructure
  MCP Servers:    Whitelisted (2 servers)
  Hooks:          4 trusted, 0 unknown
  Env Secrets:    None detected
──────────────────────────────────────────

Findings from this section appear after code-level findings in the report. Severity levels: - Critical: Env secrets detected, enableAllProjectMcpServers: true - High: Zero deny rules with settings files present, unknown hooks detected - Medium: Partial deny rule coverage (1-10 of 11 categories) - Info: Full coverage, all hooks trusted

Pre-Commit Integration

This scan runs automatically via pre-commit hook on staged files. Critical findings will block the commit.