Back to projects

Public repository

Vulnerability-Scanning

Local-first vulnerability and supply-chain scanning for agent runtimes.

agentagent-skillscodexhermesopenclawvulnerability-scanner

Local-first vulnerability and supply-chain scanning for agent runtimes.

This project packages a compact agent skill, a scanner CLI, a starter config, and reference docs for running security scans against local codebases. It helps an agent find vulnerable dependencies, leaked secrets, risky GitHub Actions, source-code security issues, and supply-chain concerns while keeping scan artifacts local by default. Optional package-intake checks can query the public OSV API when package_intake.osv_api_enabled is enabled.

Quick Start

For installation and runtime setup, read INSTALL.md. Scanner tool setup lives in references/install-tools.md.

Agent install prompt:

Follow https://raw.githubusercontent.com/TheSethRose/Vulnerability-Scanning/refs/heads/main/INSTALL.md to install the vulnerability-scanning skill. Set it up for my local agent runtime, install and validate required scanner tools, create a local config from templates/config-starter.yaml, and ask me before changing remediation, tracker, OSV API, license scanning, Scorecard, or Gitleaks history behavior. Use read-only scanning by default, keep artifacts and reports outside target repos, enable tracker/cache behavior unless I decline it, and do not enable Codex auto-remediation unless I explicitly approve it. After setup, run config validation, validate-tools, validate-tools --deep, and a plan run against the workspace I provide. Report exact commands and results.

Validate scanner availability. This checks whether the scanner tools configured for this repo are installed and visible on your PATH:

python3 scripts/vuln-scan.py validate-tools \
  --config templates/config-starter.yaml \
  --format text

Preview what would be scanned. This is the safest first command for a new repo because it discovers targets without running scanners:

python3 scripts/vuln-scan.py plan \
  --config templates/config-starter.yaml \
  --root "$PWD" \
  --scan-mode full \
  --format text

Run a full local scan. The JSON summary and raw scanner artifacts are written under /tmp so scan output does not clutter the target repo:

python3 scripts/vuln-scan.py scan \
  --config templates/config-starter.yaml \
  --root "$PWD" \
  --scan-mode full \
  --output /tmp/vuln-summary.json \
  --artifact-dir /tmp/vuln-artifacts \
  --format text

Run deeper tool checks, list available scanner engines, or render a saved JSON summary as a readable report:

python3 scripts/vuln-scan.py validate-tools --config templates/config-starter.yaml --format text --deep
python3 scripts/vuln-scan.py list-engines --format text
python3 scripts/vuln-scan.py render-report /tmp/vuln-summary.json --format text

Retest one scanner after installing a tool, changing parser behavior, or checking a focused finding:

python3 scripts/vuln-scan.py scan \
  --config templates/config-starter.yaml \
  --root "$PWD" \
  --scan-mode full \
  --only-engine trivy \
  --output /tmp/vuln-summary.json \
  --artifact-dir /tmp/vuln-artifacts \
  --format text

What It Scans

The default full mode covers the common repo-security path: vulnerable dependencies, broad filesystem findings, current-tree secrets, GitHub Actions workflows, and source-code security rules.

Additional modes are explicit so scans stay predictable:

  • dependencies: known vulnerable dependency checks
  • secrets: secret scanning and tracked .env* checks
  • ci: GitHub Actions and CI workflow checks
  • supply-chain: checks for risky package behavior before or after adding dependencies
  • sast: source-code security scanning
  • sbom: SBOM generation and SBOM vulnerability checks
  • hygiene: repository security hygiene checks
  • remediation-prep: read-only grouping of findings by likely fix path

Use --only-engine for focused retests. It is repeatable and comma-separated; valid names come from list-engines, plus aliases such as ci, secrets, sbom, and javascript-native.

Scanner Coverage

The CLI coordinates these tools when they match the repo and requested scan mode:

  • OSV Scanner plus native JavaScript audits, pip-audit, and cargo audit
  • Trivy filesystem/image scans
  • Gitleaks, TruffleHog, and metadata-only secret fallback
  • zizmor and actionlint for GitHub Actions
  • Semgrep CE SAST
  • Syft and Grype for SBOM generation/scanning
  • OpenSSF Scorecard for explicit repo hygiene scans
  • GuardDog package-intake checks for npm, PyPI, Go, RubyGems, GitHub Actions, and VS Code extensions

If a tool is unavailable, unsupported for a target, times out, or produces output the CLI cannot parse, the report calls that out separately instead of presenting the scan as clean.

Safety Defaults

  • Normal scans are read-only.
  • Starter full scans use current-tree Gitleaks, not full git history.
  • Enable Gitleaks history only for deep secret-history audits or focused retests.
  • Scorecard runs only when --scan-mode hygiene is requested.
  • License scanning runs only when explicitly requested.
  • Remediation is opt-in with --auto-remediate or config that explicitly enables it.
  • Reports and raw artifacts should live outside target repos for broad or multi-repo scans.
  • Secret values should never be printed or summarized.
  • Scan mode must not branch, commit, push, delete files, rotate credentials, or rewrite history.

Package Layout

The repository is split between the short prompt-facing skill file, executable scanner code, starter configuration, and longer reference docs:

  • SKILL.md: compact runtime instructions for agents
  • INSTALL.md: setup guide for Codex, OpenClaw, Hermes, and other local agent runtimes
  • scripts/vuln-scan.py: scan, plan, validate, package-intake, and report CLI
  • scripts/nightly-vuln-scan.py: backwards-compatible wrapper for existing cron jobs
  • scripts/validate-config.sh: starter config and Python syntax validation
  • templates/config-starter.yaml: starter local scan config
  • references/: install, scanner behavior, parser, report, remediation, and package-intake contracts

Finding Tracker

The tracker is a local cache of findings the scanner has already handled. It prevents repeat runs from spending time on the same fixed, unfixable, or temporarily blocked items. Configure its location in templates/config-starter.yaml or with --tracker-path; entries are retried after their configured window so newly available fixes can still be picked up later.

References

  • references/scanner-behavior.md: engine behavior and scan assumptions
  • references/parser-contract.md: parser and normalized finding expectations
  • references/report-schema.md: report fields and coverage states
  • references/remediation-policy.md: remediation grouping and guardrails
  • references/package-intake.md: package-intake decision contract
  • references/install-tools.md: scanner installation and validation

Privacy

This repository intentionally contains no private paths, personal repo names, tokens, scan results, or environment-specific tracker data.

Maintenance

Before default-enabling a new engine, verify current CLI flags, add parser tests, add fake-binary integration coverage, define failure handling, and document the engine in README.md and SKILL.md.

License

Copyright (c) 2026 Vulnerability Scanning Skill Contributors. MIT License. See LICENSE for the full terms.

Vulnerability-Scanning: AI tool project | Seth Rose