vuln-patterns-core

Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.

6 stars

byZate

View on GitHub Installation ↓

Best use case

vuln-patterns-core is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.

Teams using vuln-patterns-core should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/vuln-patterns-core/SKILL.md --create-dirs "https://raw.githubusercontent.com/Zate/cc-plugins/main/plugins/security/skills/vuln-patterns-core/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/vuln-patterns-core/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How vuln-patterns-core Compares

Feature / Agent	vuln-patterns-core	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Vulnerability Patterns: Core

Universal security patterns applicable to all programming languages.

## When to Use This Skill

- **Live security hooks** - Real-time validation of code changes
- **Cross-language scanning** - Patterns that work on any codebase
- **Configuration audits** - Scanning env files, Docker, YAML configs

## When NOT to Use This Skill

- **Language-specific patterns** - Use vuln-patterns-languages skill
- **Full security audits** - Use domain auditor agents
- **Remediation guidance** - Use remediation-* skills

---

## Hardcoded Secrets

**Detection Pattern**:
```regex
# API Keys
(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]

# AWS Keys
(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}

# Private Keys
-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----

# Generic Secrets
(?i)(password|secret|token|credential)s?\s*[:=]\s*['"][^'"]{8,}['"]

# JWT Secrets
(?i)(jwt[_-]?secret|signing[_-]?key)\s*[:=]\s*['"][^'"]+['"]
```

**Grep Commands**:
```bash
# API keys
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{16,}['\"]" .

# AWS keys
grep -rn -E "AKIA[A-Z0-9]{16}" .

# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .

# Password assignments
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" .
```

**Severity**: High
**ASVS**: V13.3.1 - Secrets not in version control
**CWE**: CWE-798 (Hardcoded Credentials)

---

## SQL Injection

**Detection Pattern**:
```regex
# String concatenation in queries
(?i)(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE).*\+\s*[a-zA-Z_]+

# f-string/template queries
(?i)f['"](SELECT|INSERT|UPDATE|DELETE).*\{

# Format string queries
(?i)(SELECT|INSERT|UPDATE|DELETE).*%\s*\(

# String interpolation
(?i)(SELECT|INSERT|UPDATE|DELETE).*\$\{
```

**Grep Commands**:
```bash
# Python f-string SQL
grep -rn --include="*.py" -E "f['\"]SELECT.*\{|f['\"]INSERT.*\{|f['\"]UPDATE.*\{|f['\"]DELETE.*\{" .

# JavaScript template SQL
grep -rn --include="*.{js,ts}" -E "\`SELECT.*\$\{|\`INSERT.*\$\{|\`UPDATE.*\$\{|\`DELETE.*\$\{" .

# String concatenation SQL (all languages)
grep -rn -E "(SELECT|INSERT|UPDATE|DELETE).*\+.*\+" .
```

**Severity**: Critical
**ASVS**: V1.2.1 - Parameterized queries
**CWE**: CWE-89 (SQL Injection)

---

## Command Injection

**Detection Pattern**:
```regex
# Shell execution with variables
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\+
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\$\{
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*f['"]

# Dangerous shell=True
subprocess\.[a-z]+\([^)]*shell\s*=\s*True
```

**Grep Commands**:
```bash
# Python os.system
grep -rn --include="*.py" -E "os\.system\s*\(.*\+" .

# Python subprocess shell=True
grep -rn --include="*.py" "shell\s*=\s*True" .

# Node.js exec
grep -rn --include="*.{js,ts}" -E "exec\s*\(.*\+" .

# PHP system calls
grep -rn --include="*.php" -E "(system|exec|shell_exec|passthru)\s*\(" .
```

**Severity**: Critical
**ASVS**: V1.2.3 - OS command injection prevention
**CWE**: CWE-78 (OS Command Injection)

---

## Path Traversal

**Detection Pattern**:
```regex
# Direct path concatenation
(?i)(open|read|write|file|path)\s*\([^)]*\+.*\)
(?i)(open|read|write|file|path)\s*\([^)]*\$\{.*\)

# No path validation
os\.path\.join\s*\([^)]*,[^)]*\)(?!.*resolve|.*is_relative)
```

**Grep Commands**:
```bash
# Python file operations with variables
grep -rn --include="*.py" -E "open\s*\(.*\+" .

# Node.js file operations
grep -rn --include="*.{js,ts}" -E "(readFile|writeFile|createReadStream)\s*\(.*\+" .

# Check for missing path validation
grep -rn --include="*.py" "os\.path\.join" . | grep -v "resolve\|is_relative"
```

**Severity**: High
**ASVS**: V5.4.1 - Path traversal prevention
**CWE**: CWE-22 (Path Traversal)

---

## Configuration File Patterns

### .env Files

**Detection Pattern**:
```regex
# Sensitive keys in .env
(?i)(password|secret|token|api[_-]?key|private[_-]?key)\s*=\s*[^\s]+
```

**Grep Commands**:
```bash
grep -rn -E "(?i)(password|secret|token|api.?key)=" .env* 2>/dev/null
```

**Severity**: High
**ASVS**: V13.3.1 - Secrets management
**CWE**: CWE-798 (Hardcoded Credentials)

---

### Docker/Container

**Detection Pattern**:
```regex
# Privileged mode
--privileged
privileged:\s*true

# Running as root
USER\s+root

# Exposed secrets
ENV\s+(PASSWORD|SECRET|API_KEY|TOKEN)\s*=
```

**Grep Commands**:
```bash
grep -rn "privileged" Dockerfile docker-compose.yml 2>/dev/null
grep -rn "USER root" Dockerfile 2>/dev/null
grep -rn -E "ENV.*(PASSWORD|SECRET|API_KEY)" Dockerfile 2>/dev/null
```

**Severity**: High
**ASVS**: V13.2.1 - Secure configuration
**CWE**: CWE-250 (Excessive Privilege)

---

## Quick Scan Script

Use this script for rapid vulnerability detection:

```bash
#!/bin/bash
# quick-security-scan.sh

echo "=== Quick Security Scan ==="

echo -e "\n[1] Hardcoded Secrets"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(api[_-]?key|password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" . 2>/dev/null | head -20

echo -e "\n[2] SQL Injection Patterns"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(SELECT|INSERT|UPDATE|DELETE).*\+" . 2>/dev/null | head -20

echo -e "\n[3] Command Injection"
grep -rn --include="*.py" "shell\s*=\s*True" . 2>/dev/null
grep -rn --include="*.{js,ts}" -E "exec\s*\(|spawn\s*\(" . 2>/dev/null | head -10

echo -e "\n[4] Unsafe Deserialization"
grep -rn --include="*.py" "pickle\.load\|yaml\.load" . 2>/dev/null
grep -rn --include="*.java" "ObjectInputStream\|readObject" . 2>/dev/null

echo -e "\n[5] Weak Cryptography"
grep -rn --include="*.{py,java,go}" -E "md5|sha1|DES|RC4" . 2>/dev/null | head -10

echo -e "\n[6] Debug/Dev Settings"
grep -rn --include="*.py" "DEBUG\s*=\s*True" . 2>/dev/null
grep -rn "NODE_ENV.*development" . 2>/dev/null

echo -e "\n=== Scan Complete ==="
```

---

## Integration with Live Hooks

When using these patterns in PreToolUse hooks:

1. **Parse the file content** from the tool input
2. **Apply relevant patterns** based on file extension
3. **Return blocking result** for Critical/High severity matches
4. **Return warning** for Medium severity matches

### Pattern Matching Priority

| Severity | Action | Response Time |
|----------|--------|---------------|
| Critical | Block | Immediate |
| High | Block/Warn | Immediate |
| Medium | Warn | Deferred |
| Low | Log | Async |

### False Positive Mitigation

1. **Context awareness**: Check surrounding code for sanitization
2. **Allowlists**: Skip known-safe patterns (e.g., test files)
3. **Confidence scoring**: Multiple indicators increase confidence
4. **User overrides**: Allow explicit bypass with comments

---

## See Also

- `vuln-patterns-languages` - Language-specific patterns
- `remediation-injection` - SQL/command injection fixes
- `remediation-auth` - Secrets management fixes

Related Skills

vulnerability-patterns

from Zate/cc-plugins

Index of vulnerability detection pattern skills. Routes to core patterns (universal) and language-specific patterns for security scanning.

vuln-patterns-languages

from Zate/cc-plugins

Language-specific vulnerability detection patterns for JavaScript/TypeScript, Python, Go, Java, Ruby, and PHP. Provides regex patterns and grep commands for common security vulnerabilities.

Example Skill

from Zate/cc-plugins

Brief description of what this skill does and the domain expertise it provides.

scan

from Zate/cc-plugins

Run a security assessment using deterministic static analysis tools with LLM-powered triage

results

from Zate/cc-plugins

View the most recent security scan results without re-running the scan

remediation-library

from Zate/cc-plugins

Index of security remediation skills. Routes to specialized skills for injection, cryptography, authentication, and configuration vulnerabilities.

remediation-injection

from Zate/cc-plugins

Security fix patterns for injection vulnerabilities (SQL, Command, XSS). Provides language-specific code examples showing vulnerable and secure implementations.

remediation-crypto

from Zate/cc-plugins

Security fix patterns for cryptographic vulnerabilities (weak algorithms, insecure randomness, TLS issues). Provides language-specific secure implementations.

remediation-config

from Zate/cc-plugins

Security fix patterns for configuration and deployment vulnerabilities (path traversal, debug mode, security headers). Provides language-specific secure implementations.

remediation-auth

from Zate/cc-plugins

Security fix patterns for authentication and authorization vulnerabilities (credentials, JWT, deserialization, access control). Provides language-specific secure implementations.

fix

from Zate/cc-plugins

Fix or guide remediation for a specific security finding from the latest scan report

baseline

from Zate/cc-plugins

Create or update the project security baseline, profile, suppressions file, and gitignore entries for security scans