security-scan
Run gosec and govulncheck to find security vulnerabilities. Use before releases or after dependency changes.
Best use case
security-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Run gosec and govulncheck to find security vulnerabilities. Use before releases or after dependency changes.
Teams using security-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-scan/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-scan Compares
| Feature / Agent | security-scan | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Run gosec and govulncheck to find security vulnerabilities. Use before releases or after dependency changes.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Scanning Run Go security scanners to find vulnerabilities in code and dependencies. ## Usage - `/security-scan` - Full scan (gosec + govulncheck) - `/security-scan ./internal/api/...` - Scan specific package with gosec ## Steps 1. **Run gosec (static analysis)** ```bash gosec -exclude-generated -exclude-dir=internal/codesearch $ARGUMENTS 2>&1 ``` If no arguments provided: ```bash gosec -exclude-generated -exclude-dir=internal/codesearch ./... 2>&1 ``` If gosec is not installed: ```bash go install github.com/securego/gosec/v2/cmd/gosec@latest ``` 2. **Run govulncheck (dependency vulnerabilities)** ```bash govulncheck ./... 2>&1 ``` If govulncheck is not installed: ```bash go install golang.org/x/vuln/cmd/govulncheck@latest ``` 3. **Report findings** ``` ## Security Scan Results ### gosec (Code Analysis) | Severity | File | Line | Issue | |----------|------|------|-------| ### govulncheck (Dependencies) | Module | Vulnerability | Severity | Fixed In | |--------|--------------|----------|----------| ### Summary - Code issues: N (high: N, medium: N, low: N) - Vulnerable dependencies: N ``` 4. **For each finding**, suggest a specific fix or mitigation. ## CI Alignment The CI pipeline runs: ```bash gosec -exclude-generated -exclude-dir=internal/codesearch ./... ``` A separate `vulnerability.yml` workflow checks for dependency vulnerabilities. Running `/security-scan` locally catches both before pushing. ## Common gosec Rules | Rule | Description | Common Fix | |------|-------------|------------| | G101 | Hardcoded credentials | Use env vars | | G104 | Unhandled errors | Add error checks | | G304 | File path from variable | Validate/sanitize path | | G401 | Weak crypto (MD5/SHA1) | Use SHA-256+ | | G501 | Insecure TLS | Use TLS 1.2+ |
Related Skills
test
Run Go unit tests. Use after code changes to verify correctness.
reindex
Trigger reindexing of a specific WordPress extension. Use to rebuild the search index for a plugin, theme, or core version.
race-check
Run Go race detector to find data races in concurrent code. Use after any change to mutexes, goroutines, or channels.
profile
Run CPU and memory profiling with pprof to identify performance hotspots. Use when investigating high resource usage.
migrate
Create and manage database migrations using goose. Use for schema changes, new tables, or index optimization.
lint
Run golangci-lint and static analysis on Go code. Use before pushing or to check code quality.
integration-test
Run integration tests that require Docker (Postgres, MinIO via testcontainers). Use to validate database and storage behavior.
generate
Run go generate to build templ templates and frontend assets. Use after changing templates or CSS/JS.
deps
Check and tidy Go module dependencies. Use after adding/removing imports or before releases.
coverage
Run tests with coverage analysis and identify untested code paths. Use to find gaps before releases.
check
Run pre-push quality checks (vet + lint + tests with race detector). Use before pushing code.
benchmark
Run Go benchmarks and compare results to detect performance regressions. Use before and after performance-related changes.