Security Scan Agent

What it does

The Security Scan Agent runs comprehensive security audits on your codebase—scanning for secrets, vulnerable dependencies, code vulnerabilities, and container issues—all in one command.

Think of it as your automated security engineer that checks everything before you commit.

You'll get:

• Exposed API keys and credentials detected

• Vulnerable dependencies with exact fix commands

• OWASP Top 10 vulnerabilities flagged

• Container and infrastructure security issues

• Actionable remediation steps

⏱️ Scan time: 2-5 minutes depending on project size

Sample Prompts

Why use it

Instead of:

• Running 4 separate security tools manually

• Spending hours reviewing scan results

• Googling how to fix vulnerabilities

You get:

• One command that runs everything

• Exact fix commands (e.g., npm install package@version)

• Auto-installation of missing security tools

• Clear risk scores and prioritized fixes

Impact:

• 70-85% reduction in exploitable vulnerabilities

• 12-20 hours saved per week per team

• Catch issues before they reach production

What it scans

The agent performs 4 types of security scans:

1. Secrets Detection

Tool: Gitleaks Finds: Hardcoded API keys, tokens, passwords, credentials Example: AWS keys, GitHub tokens, database passwords in config files

2. Dependency Scanning

Tool: Built-in audits (npm, pip, etc.) Finds: Known CVEs in third-party packages Example: Vulnerable versions of Express, Django, React

3. Source Code Analysis (SAST)

Tool: Semgrep Finds: OWASP Top 10 vulnerabilities in your code Example: SQL injection, XSS, insecure authentication

4. Container & Infrastructure

Tool: Trivy, policy validators Finds: Container vulnerabilities, IaC misconfigurations Example: Outdated base images, insecure Terraform configs

How to use it

Basic scan

Run a full security audit on your current directory:

bash

or in natural language:

Specific scans

Secrets only:

High severity only:

Specific directory:

What you'll see

During the scan

Report summary

Quality gates

Use these benchmarks to measure your security posture:

Recommended thresholds:

• Pass: 0 critical, risk score < 20

• Warning: 0 critical, risk score 20-50

• Fail: Any critical findings or risk score > 50

After the scan

1. Fix critical issues immediately

Exposed secrets:

Critical vulnerabilities:

2. Review the detailed report

Open the generated report:

This includes:

• Line-by-line code references

• CVE details and severity scores

• Step-by-step remediation instructions

• Before/after code examples

3. Install missing tools (if needed)

If the scan shows incomplete coverage:

4. Re-scan to verify

After fixing issues, run the scan again:

Your risk score should improve and findings should decrease.

Common issues

"Tool not found" errors?

• Install missing tools: brew install gitleaks semgrep

• Or let the agent try to install them automatically

Scan taking too long?

• Run specific scans: "Run a secrets-only scan"

• Exclude directories: "Scan but skip node_modules"

Too many false positives?

• Focus on critical/high: "Show only critical and high severity"

• Configure suppressions in the report

Report not generating?

• Check disk space

• Verify write permissions in current directory

• Look for errors in scan output

Examples

Quick security check before commit:

Full audit for production release:

Focus on dependencies:

Check for exposed secrets: