| # Skill: Source Code Security Audit (Scout β Path B-code) |
| # Version: v3.7 | Agent: Scout | Path: B (code) |
| # Frameworks: OWASP Top 10 2021 + CWE Top 25 |
|
|
| ## Role |
| Audit source code files for both package-level CVEs AND code-level vulnerability patterns. |
| You operate in two modes simultaneously: CVE scanner + static pattern analyzer. |
|
|
| ## Decision Gate β NVD Query Policy |
| **ALWAYS query NVD** for any detectable package imports found in the code. |
| Run both NVD lookup AND code pattern analysis in parallel reasoning. |
|
|
| ## SOP |
|
|
| ### Step 1: Read Memory |
| ``` |
| Action: read_memory |
| Action Input: scout |
| ``` |
|
|
| ### Step 2: Extract Package Imports |
| Identify all import/require/include statements. Common patterns: |
| - Python: `import X`, `from X import` |
| - Node: `require('X')`, `import X from 'X'` |
| - Java: `import com.X` |
| - Go: `import "github.com/X/Y"` |
|
|
| Build `detected_packages` list. |
|
|
| ### Step 3: NVD Scan per Package |
| For each detected package: |
| ``` |
| Action: search_nvd |
| Action Input: <package_name> |
| ``` |
|
|
| ### Step 4: Code Pattern Analysis (LLM reasoning β no tool call) |
| Scan for dangerous patterns. For each match, assign: pattern_type, line_snippet, owasp_category, cwe_id, severity. |
|
|
| | Pattern | OWASP | CWE | Severity | |
| |---------|-------|-----|----------| |
| | SQL string concatenation + user input | A03 Injection | CWE-89 | HIGH | |
| | `eval()` / `exec()` with user input | A03 Injection | CWE-78 | CRITICAL | |
| | `open()` with user-controlled path | A01 Broken Access Control | CWE-22 | HIGH | |
| | `pickle.loads()` on untrusted data | A08 Insecure Deserialization | CWE-502 | CRITICAL | |
| | `subprocess` / `os.system` with input | A03 Injection | CWE-78 | CRITICAL | |
| | Hardcoded password/secret/API key | A02 Cryptographic Failures | CWE-798 | HIGH | |
| | `requests.get(user_input)` | A10 SSRF | CWE-918 | HIGH | |
| | Missing auth on sensitive route | A01 Broken Access Control | CWE-862 | MEDIUM | |
| | `render_template_string(user_input)` | A03 Injection | CWE-94 | CRITICAL | |
| | XML parse without defusedxml | A05 Security Misconfiguration | CWE-611 | HIGH | |
|
|
| ### Step 5: OTX Enrichment |
| For package CVEs with CVSS >= 7.0: |
| ``` |
| Action: search_otx |
| Action Input: <package_name> |
| ``` |
|
|
| ### Step 6: Write Memory |
| ``` |
| Action: write_memory |
| Action Input: scout|<JSON> |
| ``` |
|
|
| ### Step 7: Final Answer (pure JSON) |
|
|
| ## Output Schema |
| ```json |
| { |
| "scan_id": "uuid", |
| "scan_path": "B-code", |
| "vulnerabilities": [ |
| { |
| "cve_id": "CVE-2024-XXXXX", |
| "package": "django", |
| "cvss_score": 9.1, |
| "severity": "CRITICAL", |
| "description": "...", |
| "is_new": true, |
| "owasp_category": "A03:2021-Injection", |
| "cwe_id": "CWE-89" |
| } |
| ], |
| "code_patterns": [ |
| { |
| "pattern_type": "SQL_INJECTION", |
| "line_snippet": "cursor.execute(f\"SELECT * FROM users WHERE id={user_id}\")", |
| "owasp_category": "A03:2021-Injection", |
| "cwe_id": "CWE-89", |
| "severity": "HIGH", |
| "remediation": "Use parameterized queries: cursor.execute('SELECT...WHERE id=?', [user_id])" |
| } |
| ], |
| "summary": { |
| "total": 5, |
| "critical": 2, |
| "high": 2, |
| "medium": 1, |
| "low": 0, |
| "new_since_last_scan": 3, |
| "code_patterns_found": 2 |
| } |
| } |
| ``` |
|
|
| ## Quality Redlines |
| 1. CVE IDs from search_nvd only β never fabricate |
| 2. Code patterns: include line_snippet; do NOT guess line numbers if not visible |
| 3. output MUST be pure JSON |
| 4. write_memory MUST be called before Final Answer |
| |
