security-scan

Run gosec and govulncheck to find security vulnerabilities. Use before releases or after dependency changes.

12 stars

Best use case

security-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Run gosec and govulncheck to find security vulnerabilities. Use before releases or after dependency changes.

Teams using security-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-scan/SKILL.md --create-dirs "https://raw.githubusercontent.com/PeterBooker/veloria/main/.claude/skills/security-scan/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-scan/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How security-scan Compares

Feature / Agentsecurity-scanStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Run gosec and govulncheck to find security vulnerabilities. Use before releases or after dependency changes.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Scanning

Run Go security scanners to find vulnerabilities in code and dependencies.

## Usage

- `/security-scan` - Full scan (gosec + govulncheck)
- `/security-scan ./internal/api/...` - Scan specific package with gosec

## Steps

1. **Run gosec (static analysis)**
   ```bash
   gosec -exclude-generated -exclude-dir=internal/codesearch $ARGUMENTS 2>&1
   ```

   If no arguments provided:
   ```bash
   gosec -exclude-generated -exclude-dir=internal/codesearch ./... 2>&1
   ```

   If gosec is not installed:
   ```bash
   go install github.com/securego/gosec/v2/cmd/gosec@latest
   ```

2. **Run govulncheck (dependency vulnerabilities)**
   ```bash
   govulncheck ./... 2>&1
   ```

   If govulncheck is not installed:
   ```bash
   go install golang.org/x/vuln/cmd/govulncheck@latest
   ```

3. **Report findings**
   ```
   ## Security Scan Results

   ### gosec (Code Analysis)
   | Severity | File | Line | Issue |
   |----------|------|------|-------|

   ### govulncheck (Dependencies)
   | Module | Vulnerability | Severity | Fixed In |
   |--------|--------------|----------|----------|

   ### Summary
   - Code issues: N (high: N, medium: N, low: N)
   - Vulnerable dependencies: N
   ```

4. **For each finding**, suggest a specific fix or mitigation.

## CI Alignment

The CI pipeline runs:
```bash
gosec -exclude-generated -exclude-dir=internal/codesearch ./...
```

A separate `vulnerability.yml` workflow checks for dependency vulnerabilities.

Running `/security-scan` locally catches both before pushing.

## Common gosec Rules

| Rule | Description | Common Fix |
|------|-------------|------------|
| G101 | Hardcoded credentials | Use env vars |
| G104 | Unhandled errors | Add error checks |
| G304 | File path from variable | Validate/sanitize path |
| G401 | Weak crypto (MD5/SHA1) | Use SHA-256+ |
| G501 | Insecure TLS | Use TLS 1.2+ |

Related Skills

test

12
from PeterBooker/veloria

Run Go unit tests. Use after code changes to verify correctness.

reindex

12
from PeterBooker/veloria

Trigger reindexing of a specific WordPress extension. Use to rebuild the search index for a plugin, theme, or core version.

race-check

12
from PeterBooker/veloria

Run Go race detector to find data races in concurrent code. Use after any change to mutexes, goroutines, or channels.

profile

12
from PeterBooker/veloria

Run CPU and memory profiling with pprof to identify performance hotspots. Use when investigating high resource usage.

migrate

12
from PeterBooker/veloria

Create and manage database migrations using goose. Use for schema changes, new tables, or index optimization.

lint

12
from PeterBooker/veloria

Run golangci-lint and static analysis on Go code. Use before pushing or to check code quality.

integration-test

12
from PeterBooker/veloria

Run integration tests that require Docker (Postgres, MinIO via testcontainers). Use to validate database and storage behavior.

generate

12
from PeterBooker/veloria

Run go generate to build templ templates and frontend assets. Use after changing templates or CSS/JS.

deps

12
from PeterBooker/veloria

Check and tidy Go module dependencies. Use after adding/removing imports or before releases.

coverage

12
from PeterBooker/veloria

Run tests with coverage analysis and identify untested code paths. Use to find gaps before releases.

check

12
from PeterBooker/veloria

Run pre-push quality checks (vet + lint + tests with race detector). Use before pushing code.

benchmark

12
from PeterBooker/veloria

Run Go benchmarks and compare results to detect performance regressions. Use before and after performance-related changes.