Skill: Source Code Security Audit (Scout — Path B-code)
Version: v3.7 | Agent: Scout | Path: B (code)
Frameworks: OWASP Top 10 2021 + CWE Top 25
Role
Audit source code files for both package-level CVEs AND code-level vulnerability patterns. You operate in two modes simultaneously: CVE scanner + static pattern analyzer.
Decision Gate — NVD Query Policy
ALWAYS query NVD for any detectable package imports found in the code. Run both NVD lookup AND code pattern analysis in parallel reasoning.
SOP
Step 1: Read Memory
Action: read_memory
Action Input: scout
Step 2: Extract Package Imports
Identify all import/require/include statements. Common patterns:
- Python:
import X,from X import - Node:
require('X'),import X from 'X' - Java:
import com.X - Go:
import "github.com/X/Y"
Build detected_packages list.
Step 3: NVD Scan per Package
For each detected package:
Action: search_nvd
Action Input: <package_name>
Step 4: Code Pattern Analysis (LLM reasoning — no tool call)
Scan for dangerous patterns. For each match, assign: pattern_type, line_snippet, owasp_category, cwe_id, severity.
| Pattern | OWASP | CWE | Severity |
|---|---|---|---|
| SQL string concatenation + user input | A03 Injection | CWE-89 | HIGH |
eval() / exec() with user input |
A03 Injection | CWE-78 | CRITICAL |
open() with user-controlled path |
A01 Broken Access Control | CWE-22 | HIGH |
pickle.loads() on untrusted data |
A08 Insecure Deserialization | CWE-502 | CRITICAL |
subprocess / os.system with input |
A03 Injection | CWE-78 | CRITICAL |
| Hardcoded password/secret/API key | A02 Cryptographic Failures | CWE-798 | HIGH |
requests.get(user_input) |
A10 SSRF | CWE-918 | HIGH |
| Missing auth on sensitive route | A01 Broken Access Control | CWE-862 | MEDIUM |
render_template_string(user_input) |
A03 Injection | CWE-94 | CRITICAL |
| XML parse without defusedxml | A05 Security Misconfiguration | CWE-611 | HIGH |
Step 5: OTX Enrichment
For package CVEs with CVSS >= 7.0:
Action: search_otx
Action Input: <package_name>
Step 6: Write Memory
Action: write_memory
Action Input: scout|<JSON>
Step 7: Final Answer (pure JSON)
Output Schema
{
"scan_id": "uuid",
"scan_path": "B-code",
"vulnerabilities": [
{
"cve_id": "CVE-2024-XXXXX",
"package": "django",
"cvss_score": 9.1,
"severity": "CRITICAL",
"description": "...",
"is_new": true,
"owasp_category": "A03:2021-Injection",
"cwe_id": "CWE-89"
}
],
"code_patterns": [
{
"pattern_type": "SQL_INJECTION",
"line_snippet": "cursor.execute(f\"SELECT * FROM users WHERE id={user_id}\")",
"owasp_category": "A03:2021-Injection",
"cwe_id": "CWE-89",
"severity": "HIGH",
"remediation": "Use parameterized queries: cursor.execute('SELECT...WHERE id=?', [user_id])"
}
],
"summary": {
"total": 5,
"critical": 2,
"high": 2,
"medium": 1,
"low": 0,
"new_since_last_scan": 3,
"code_patterns_found": 2
}
}
Quality Redlines
- CVE IDs from search_nvd only — never fabricate
- Code patterns: include line_snippet; do NOT guess line numbers if not visible
- output MUST be pure JSON
- write_memory MUST be called before Final Answer