security-guidance
Comprehensive security best practices, vulnerability scanning, and security guidance for development workflows with automated security checks and compliance monitoring.
When & Why to Use This Skill
This Claude skill serves as a comprehensive security toolkit designed to integrate automated vulnerability scanning, secure coding best practices, and compliance monitoring into the modern development lifecycle. It enables teams to proactively identify risks across source code, dependencies, and cloud infrastructure while ensuring adherence to global regulatory standards like GDPR and SOC 2.
Use Cases
- Automated Code & Dependency Scanning: Detect critical vulnerabilities such as SQL injection, XSS, and insecure dependencies early in the development process using automated CLI tools.
- Infrastructure & Cloud Security Auditing: Evaluate AWS configurations, Kubernetes clusters, and Docker images for security misconfigurations and compliance with hardening standards.
- Regulatory Compliance Management: Streamline the path to GDPR and SOC 2 certification through automated audits, data privacy assessments, and the generation of required security documentation.
- Secure API & Web Development: Implement robust security controls including rate limiting, CORS configuration, and input sanitization using pre-built utility libraries.
- Real-time Monitoring & Incident Response: Establish a proactive security posture with automated threat detection, real-time alerting via Slack/Email, and structured incident management workflows.
| name | security-guidance |
|---|---|
| description | Comprehensive security best practices, vulnerability scanning, and security guidance for development workflows with automated security checks and compliance monitoring. |
| license | MIT |
Security Guidance & Scanning
Overview
Complete security toolkit providing best practices, automated vulnerability scanning, security guidance, and compliance monitoring for development workflows and production systems.
Quick Start
Installation
npm install -g @security-guidance/cli
# or
npx @security-guidance/cli init
Initial Security Scan
# Quick security assessment
security-guidance scan
# Comprehensive scan
security-guidance scan --comprehensive --report=html
Security Scanning
Code Security Analysis
# Scan source code for vulnerabilities
security-guidance scan code --path=./src --language=javascript
# Scan with specific rules
security-guidance scan code --rules=owasp-top-ten,cwe-89
# Include dependency scanning
security-guidance scan code --include-deps --severity=high,critical
Code Scan Results
{
"scanId": "scan_2024_01_15_14_30",
"timestamp": "2024-01-15T14:30:00Z",
"summary": {
"totalIssues": 23,
"critical": 2,
"high": 5,
"medium": 10,
"low": 6
},
"issues": [
{
"id": "vuln_001",
"severity": "critical",
"type": "sql-injection",
"file": "src/database.js",
"line": 45,
"description": "Potential SQL injection vulnerability",
"recommendation": "Use parameterized queries or ORM"
}
]
}
Dependency Vulnerability Scanning
# Scan package dependencies
security-guidance scan dependencies --format=npm
# Scan with custom registry
security-guidance scan dependencies --registry=private-registry
# Continuous monitoring
security-guidance monitor dependencies --interval=daily
Dependency Report
// Generate dependency security report
const { DependencyScanner } = require('@security-guidance/scanner');
const scanner = new DependencyScanner();
const report = await scanner.scan('./package.json');
console.log(`
Vulnerabilities Found: ${report.vulnerabilities.length}
Critical: ${report.criticalCount}
High: ${report.highCount}
Recommendations:
${report.recommendations.join('\n')}
`);
Infrastructure Security
# Scan cloud infrastructure
security-guidance scan infrastructure --provider=aws --region=us-east-1
# Scan Kubernetes cluster
security-guidance scan k8s --cluster=production
# Docker security scan
security-guidance scan docker --image=myapp:latest
Infrastructure Security Check
# security-config.yaml
infrastructure:
aws:
s3:
- check: "public-read-prohibited"
severity: "high"
- check: "encryption-enabled"
severity: "medium"
ec2:
- check: "security-groups-configured"
severity: "critical"
- check: "iam-roles-assigned"
severity: "medium"
kubernetes:
rbac:
- check: "no-cluster-admin-binding"
severity: "critical"
pods:
- check: "no-privileged-containers"
severity: "high"
- check: "read-only-filesystem"
severity: "medium"
Security Best Practices
Secure Coding Guidelines
Input Validation
const { SecurityUtils } = require('@security-guidance/utils');
// Validate user input
function validateUserInput(input) {
return SecurityUtils.validate(input, {
type: 'string',
maxLength: 1000,
allowedChars: 'a-zA-Z0-9 .,!?-',
sanitize: true,
escape: true
});
}
// SQL injection prevention
const query = 'SELECT * FROM users WHERE email = ?';
const result = await db.query(query, [validatedEmail]);
Authentication & Authorization
const { AuthManager } = require('@security-guidance/auth');
const auth = new AuthManager({
jwtSecret: process.env.JWT_SECRET,
bcryptRounds: 12,
sessionTimeout: 3600000, // 1 hour
maxLoginAttempts: 5,
lockoutDuration: 900000 // 15 minutes
});
// Secure login
async function login(username, password) {
const user = await auth.authenticate(username, password);
if (user) {
const token = auth.generateToken(user, { expiresIn: '1h' });
return { success: true, token };
}
return { success: false, error: 'Invalid credentials' };
}
Data Encryption
const { Encryption } = require('@security-guidance/crypto');
const encryption = new Encryption({
algorithm: 'aes-256-gcm',
keyDerivation: 'pbkdf2',
iterations: 100000
});
// Encrypt sensitive data
async function encryptSensitiveData(data) {
const encrypted = await encryption.encrypt(data, process.env.ENCRYPTION_KEY);
return encrypted;
}
// Decrypt sensitive data
async function decryptSensitiveData(encryptedData) {
const decrypted = await encryption.decrypt(encryptedData, process.env.ENCRYPTION_KEY);
return decrypted;
}
API Security
Rate Limiting
const { RateLimiter } = require('@security-guidance/api');
const rateLimiter = new RateLimiter({
windowMs: 15 * 60 * 1000, // 15 minutes
maxRequests: 100,
skipSuccessfulRequests: false,
skipFailedRequests: false
});
// Apply to API endpoints
app.use('/api/', rateLimiter.middleware());
CORS Configuration
const cors = require('cors');
const corsOptions = {
origin: process.env.ALLOWED_ORIGINS?.split(',') || ['https://example.com'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
credentials: true,
maxAge: 86400 // 24 hours
};
app.use(cors(corsOptions));
Input Sanitization
const { Sanitizer } = require('@security-guidance/sanitizer');
const sanitizer = new Sanitizer();
// Sanitize HTML input
function sanitizeHtml(input) {
return sanitizer.html(input, {
allowedTags: ['b', 'i', 'em', 'strong', 'p', 'br'],
allowedAttributes: {},
disallowedTagsMode: 'discard'
});
}
// Sanitize SQL input
function sanitizeSql(input) {
return sanitizer.sql(input, {
escapeQuotes: true,
removeComments: true,
validateIdentifiers: true
});
}
Compliance Monitoring
GDPR Compliance
# GDPR compliance check
security-guidance compliance gdpr --audit
# Data privacy assessment
security-guidance privacy assess --region=eu
# Generate GDPR documentation
security-guidance compliance gdpr --docs --output=./docs/gdpr
GDPR Implementation
const { GDPRCompliance } = require('@security-guidance/compliance');
const gdpr = new GDPRCompliance({
dataController: 'Your Company',
dataProtectionOfficer: 'dpo@company.com',
retentionPeriod: 365, // days
consentRequired: true
});
// Handle data subject requests
async function handleDataSubjectRequest(requestType, userId) {
switch (requestType) {
case 'access':
return await gdpr.getUserData(userId);
case 'deletion':
return await gdpr.deleteUserData(userId);
case 'rectification':
return await gdpr.rectifyUserData(userId, updatedData);
default:
throw new Error('Invalid request type');
}
}
SOC 2 Compliance
# SOC 2 compliance assessment
security-guidance compliance soc2 --type=type2 --audit
# Security controls validation
security-guidance controls validate --framework=soc2
# Generate SOC 2 reports
security-guidance compliance soc2 --report --format=pdf
SOC 2 Controls
const { SOC2Controls } = require('@security-guidance/compliance');
const soc2 = new SOC2Controls({
trustServices: ['security', 'availability', 'confidentiality'],
criteria: 'common-criteria-2017'
});
// Implement security controls
const controls = {
accessControl: {
implemented: true,
evidence: ['access-logs', 'user-permissions'],
lastReviewed: '2024-01-15'
},
encryption: {
implemented: true,
evidence: ['encryption-keys', 'cipher-suites'],
lastReviewed: '2024-01-10'
},
incidentResponse: {
implemented: true,
evidence: ['incident-logs', 'response-procedures'],
lastReviewed: '2024-01-12'
}
};
await soc2.validateControls(controls);
Security Testing
Penetration Testing
# Automated penetration testing
security-guidance pentest --target=https://api.example.com
# Custom penetration test
security-guidance pentest --config=pentest.config.js
# Generate pentest report
security-guidance pentest --report --format=html
Penetration Test Configuration
// pentest.config.js
module.exports = {
target: 'https://api.example.com',
tests: [
'sql-injection',
'xss',
'csrf',
'authentication-bypass',
'authorization-issues',
'rate-limiting-bypass'
],
authentication: {
type: 'bearer',
token: process.env.API_TOKEN
},
options: {
maxRequestsPerSecond: 10,
timeout: 30000,
followRedirects: true
},
reporting: {
format: ['html', 'json'],
includeEvidence: true,
severity: ['medium', 'high', 'critical']
}
};
Security Unit Testing
const { SecurityTests } = require('@security-guidance/testing');
describe('Security Tests', () => {
let securityTests;
beforeEach(() => {
securityTests = new SecurityTests();
});
test('should prevent SQL injection', async () => {
const maliciousInput = "'; DROP TABLE users; --";
const result = await securityTests.testSqlInjection(maliciousInput);
expect(result.vulnerable).toBe(false);
});
test('should prevent XSS attacks', async () => {
const xssPayload = '<script>alert("xss")</script>';
const result = await securityTests.testXSS(xssPayload);
expect(result.vulnerable).toBe(false);
});
test('should enforce rate limiting', async () => {
const requests = Array(101).fill().map(() =>
securityTests.makeRequest('/api/endpoint')
);
const results = await Promise.all(requests);
const rejectedRequests = results.filter(r => r.status === 429);
expect(rejectedRequests.length).toBeGreaterThan(0);
});
});
Security Monitoring
Real-time Monitoring
# Start security monitoring
security-guidance monitor --real-time
# Monitor specific services
security-guidance monitor --services=api,database,auth
# Set up alerts
security-guidance monitor --alert-webhook=https://hooks.slack.com/...
Monitoring Configuration
// monitoring.config.js
module.exports = {
services: [
{
name: 'api',
endpoint: 'https://api.example.com/health',
checks: ['response-time', 'status-code', 'ssl-certificate'],
interval: 60000 // 1 minute
},
{
name: 'database',
connection: process.env.DATABASE_URL,
checks: ['connection-pool', 'query-performance', 'access-logs'],
interval: 300000 // 5 minutes
}
],
alerts: {
channels: [
{
type: 'slack',
webhook: process.env.SLACK_WEBHOOK,
severity: ['high', 'critical']
},
{
type: 'email',
recipients: ['security@company.com'],
severity: ['critical']
}
]
},
thresholds: {
responseTime: 5000, // 5 seconds
errorRate: 0.05, // 5%
failedLogins: 10 // per minute
}
};
Log Analysis
# Analyze security logs
security-guidance logs analyze --source=./logs --pattern=security-events
# Detect anomalies
security-guidance logs anomaly-detect --baseline=30-days
# Generate security report
security-guidance logs report --period=weekly --format=pdf
Log Analysis Script
const { LogAnalyzer } = require('@security-guidance/logs');
const analyzer = new LogAnalyzer({
patterns: {
failedLogin: /failed.*login/i,
sqlInjection: /union.*select|drop.*table/i,
xss: /<script|javascript:/i,
suspiciousActivity: /brute.*force|dictionary.*attack/i
},
thresholds: {
failedLoginsPerMinute: 5,
suspiciousPatternsPerHour: 10
}
});
// Analyze logs
async function analyzeSecurityLogs(logFile) {
const analysis = await analyzer.analyze(logFile);
if (analysis.alerts.length > 0) {
await sendSecurityAlert(analysis.alerts);
}
return analysis;
}
Security Configuration
Security Headers
const helmet = require('helmet');
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", "data:", "https:"]
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
},
noSniff: true,
frameguard: { action: 'deny' },
xssFilter: true
}));
Environment Security
# Secure environment setup
security-guidance env secure --production
# Environment variables validation
security-guidance env validate --required=API_KEY,DB_URL
# Generate secure secrets
security-guidance secrets generate --type=jwt --length=256
Secure Environment Configuration
// security.config.js
module.exports = {
environment: {
required: [
'API_KEY',
'DATABASE_URL',
'JWT_SECRET',
'ENCRYPTION_KEY'
],
validation: {
JWT_SECRET: {
minLength: 32,
pattern: /^[A-Za-z0-9+/]+={0,2}$/
},
API_KEY: {
minLength: 20,
pattern: /^[a-f0-9]{32}$/
}
}
},
secrets: {
rotation: {
interval: '90d',
notification: ['security@company.com']
},
storage: {
provider: 'aws-secrets-manager',
region: 'us-east-1'
}
}
};
Incident Response
Incident Management
# Report security incident
security-guidance incident report --type=data-breach --severity=high
# View incident status
security-guidance incident status --id=inc-2024-001
# Generate incident report
security-guidance incident report --id=inc-2024-001 --format=pdf
Incident Response Workflow
const { IncidentManager } = require('@security-guidance/incident');
const incidentManager = new IncidentManager({
escalationPolicy: {
level1: { timeout: 300, notify: ['oncall@company.com'] },
level2: { timeout: 900, notify: ['security@company.com', 'cto@company.com'] },
level3: { timeout: 1800, notify: ['executives@company.com'] }
},
communication: {
slack: { webhook: process.env.SLACK_WEBHOOK },
email: { smtp: process.env.SMTP_CONFIG },
sms: { provider: 'twilio', apiKey: process.env.TWILIO_KEY }
}
});
// Handle security incident
async function handleSecurityIncident(incident) {
const response = await incidentManager.create({
type: incident.type,
severity: incident.severity,
description: incident.description,
affectedSystems: incident.systems,
reporter: incident.reporter
});
// Start automated response
await incidentManager.automatedResponse(response.id);
return response;
}
Security Training
Security Awareness
# Generate security training materials
security-guidance training generate --topic=phishing --format=interactive
# Conduct security quiz
security-guidance training quiz --topic=social-engineering
# Track training progress
security-guidance training progress --team=engineering
Training Content Generator
const { TrainingGenerator } = require('@security-guidance/training');
const generator = new TrainingGenerator();
// Generate phishing awareness training
const phishingTraining = await generator.generate({
topic: 'phishing',
format: 'interactive',
difficulty: 'intermediate',
duration: 30 // minutes
});
// Generate security quiz
const quiz = await generator.quiz({
topics: ['password-security', 'social-engineering', 'data-protection'],
questionsPerTopic: 5,
difficulty: 'mixed'
});
Integration
CI/CD Integration
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Security Scan
run: |
npx @security-guidance/cli scan \
--comprehensive \
--format=github \
--output=security-report.json
- name: Upload Security Report
uses: actions/upload-artifact@v2
with:
name: security-report
path: security-report.json
IDE Integration
# VS Code extension
code --install-extension security-guidance.vscode
# IntelliJ plugin
# Install from marketplace: Security Guidance
# Vim/Neovim plugin
git clone https://github.com/security-guidance/vim-plugin ~/.vim/pack/security/start/
API Reference
Core Classes
SecurityScanner
const { SecurityScanner } = require('@security-guidance/core');
const scanner = new SecurityScanner({
rules: ['owasp-top-ten', 'custom-rules'],
severity: ['medium', 'high', 'critical']
});
const results = await scanner.scan('./src');
VulnerabilityDatabase
const { VulnDB } = require('@security-guidance/database');
const vulnDB = new VulnDB({
sources: ['cve', 'npm-advisories', 'github-advisories'],
updateInterval: 3600000 // 1 hour
});
const vulnerabilities = await vulnDB.lookup('express', '4.17.0');
ComplianceChecker
const { ComplianceChecker } = require('@security-guidance/compliance');
const checker = new ComplianceChecker({
frameworks: ['gdpr', 'soc2', 'pci-dss'],
jurisdiction: 'eu'
});
const compliance = await checker.check('./app');
Contributing
- Fork the repository
- Create security feature branch
- Follow secure coding practices
- Add security tests
- Submit pull request with security review
License
MIT License - see LICENSE file for details.