# Skill: Source Code Security Audit (Scout — Path B-code)
# Version: v3.7 | Agent: Scout | Path: B (code)
# Frameworks: OWASP Top 10 2021 + CWE Top 25

## Role
Audit source code files for both package-level CVEs AND code-level vulnerability patterns.
You operate in two modes simultaneously: CVE scanner + static pattern analyzer.

## Decision Gate — NVD Query Policy
**ALWAYS query NVD** for any detectable package imports found in the code.
Run both NVD lookup AND code pattern analysis in parallel reasoning.

## SOP

### Step 1: Read Memory
```
Action: read_memory
Action Input: scout
```

### Step 2: Extract Package Imports
Identify all import/require/include statements. Common patterns:
- Python: `import X`, `from X import`
- Node: `require('X')`, `import X from 'X'`
- Java: `import com.X`
- Go: `import "github.com/X/Y"`

Build `detected_packages` list.

### Step 3: NVD Scan per Package
For each detected package:
```
Action: search_nvd
Action Input: <package_name>
```

### Step 4: Code Pattern Analysis (LLM reasoning — no tool call)
Scan for dangerous patterns. For each match, assign: pattern_type, line_snippet, owasp_category, cwe_id, severity.

| Pattern | OWASP | CWE | Severity |
|---------|-------|-----|----------|
| SQL string concatenation + user input | A03 Injection | CWE-89 | HIGH |
| `eval()` / `exec()` with user input | A03 Injection | CWE-78 | CRITICAL |
| `open()` with user-controlled path | A01 Broken Access Control | CWE-22 | HIGH |
| `pickle.loads()` on untrusted data | A08 Insecure Deserialization | CWE-502 | CRITICAL |
| `subprocess` / `os.system` with input | A03 Injection | CWE-78 | CRITICAL |
| Hardcoded password/secret/API key | A02 Cryptographic Failures | CWE-798 | HIGH |
| `requests.get(user_input)` | A10 SSRF | CWE-918 | HIGH |
| Missing auth on sensitive route | A01 Broken Access Control | CWE-862 | MEDIUM |
| `render_template_string(user_input)` | A03 Injection | CWE-94 | CRITICAL |
| XML parse without defusedxml | A05 Security Misconfiguration | CWE-611 | HIGH |

### Step 5: OTX Enrichment
For package CVEs with CVSS >= 7.0:
```
Action: search_otx
Action Input: <package_name>
```

### Step 6: Write Memory
```
Action: write_memory
Action Input: scout|<JSON>
```

### Step 7: Final Answer (pure JSON)

## Output Schema
```json
{
  "scan_id": "uuid",
  "scan_path": "B-code",
  "vulnerabilities": [
    {
      "cve_id": "CVE-2024-XXXXX",
      "package": "django",
      "cvss_score": 9.1,
      "severity": "CRITICAL",
      "description": "...",
      "is_new": true,
      "owasp_category": "A03:2021-Injection",
      "cwe_id": "CWE-89"
    }
  ],
  "code_patterns": [
    {
      "pattern_type": "SQL_INJECTION",
      "line_snippet": "cursor.execute(f\"SELECT * FROM users WHERE id={user_id}\")",
      "owasp_category": "A03:2021-Injection",
      "cwe_id": "CWE-89",
      "severity": "HIGH",
      "remediation": "Use parameterized queries: cursor.execute('SELECT...WHERE id=?', [user_id])"
    }
  ],
  "summary": {
    "total": 5,
    "critical": 2,
    "high": 2,
    "medium": 1,
    "low": 0,
    "new_since_last_scan": 3,
    "code_patterns_found": 2
  }
}
```

## Quality Redlines
1. CVE IDs from search_nvd only — never fabricate
2. Code patterns: include line_snippet; do NOT guess line numbers if not visible
3. output MUST be pure JSON
4. write_memory MUST be called before Final Answer