vulnerability-scanning-assessment
Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting
适合你,如果需要在开发或部署前发现并修复已知安全漏洞。
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/vulnerability-scanning-assessmentcurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/vulnerability-scanning-assessmentnpx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/vulnerability-scanning-assessment怎么用
技能原文 SKILL.md
Vulnerability Scanning & Assessment
Purpose
Enable Claude to perform comprehensive vulnerability assessments by directly analyzing dependency files, configuration files, and scan output — then generating prioritized, actionable reports. Claude identifies vulnerabilities, calculates risk, and prescribes remediation with version specifics.
Activation Triggers
This skill activates when the user asks about:
- Scanning dependencies for known CVEs
- Auditing
requirements.txt,package.json,go.mod,pom.xml,Cargo.toml - Reviewing server configurations for security issues
- CVSS scoring or severity calculation
- Vulnerability assessment or security audit reports
- Checking software versions against known exploits
- Configuration hardening for nginx, Apache, SSH, Docker, Kubernetes
- NVD, OSV, or CVE database queries
Prerequisites
pip install requests packaging jinja2 pyyaml
Optional enhanced tools:
nuclei— Template-based vulnerability scannertrivy— Container and filesystem scannernmapwith NSE scripts — Network vuln scanningopenvas— Full vulnerability management
Core Capabilities
1. Dependency Vulnerability Auditing
Claude can directly read and analyze dependency files:
When the user asks to audit dependencies:
- Read the dependency file using Claude's Read tool or ask the user to paste it
- Identify package manager from file format:
requirements.txt/Pipfile.lock/pyproject.toml→ Python/pippackage.json/package-lock.json/yarn.lock→ Node.js/npmgo.mod/go.sum→ Go modulespom.xml/build.gradle→ Java/Maven/GradleCargo.toml/Cargo.lock→ Rust/CargoGemfile.lock→ Ruby/Bundlercomposer.lock→ PHP/Composer- Extract exact versions for all direct and transitive dependencies
- Query vulnerability databases — Claude can search NVD API, OSV, and GitHub Advisory Database for each package+version combination
- Calculate CVSS v3.1 severity for each finding
- Check for available patches — identify the minimum safe version
- Generate prioritized remediation report
Use this command to run the automated audit:
python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical
Claude's native analysis — When running without scripts, analyze pasted dependency content directly:
- Flag packages with
>=,*, or missing version pins (supply chain risk) - Identify known high-risk packages (log4j, spring-core, struts, etc.)
- Cross-reference with CISA KEV (Known Exploited Vulnerabilities) catalog
2. Configuration Security Auditing
Claude can directly read and analyze configuration files:
When the user asks to audit a configuration:
Nginx Audit Checklist
[ ] ssl_protocols — Must NOT include SSLv2, SSLv3, TLSv1, TLSv1.1 [ ] ssl_ciphers — Must not include RC4, DES, MD5, EXPORT ciphers [ ] server_tokens — Should be 'off' (hides version) [ ] add_header X-Frame-Options — Required (SAMEORIGIN or DENY) [ ] add_header X-Content-Type-Options — Required (nosniff) [ ] add_header Strict-Transport-Security — Required (min 1 year) [ ] add_header Content-Security-Policy — Required [ ] autoindex — Must be 'off' (prevents directory listing) [ ] client_max_body_size — Should be set (prevents DoS) [ ] access_log / error_log — Must be enabled
SSH (sshd_config) Audit Checklist
[ ] PermitRootLogin — Should be 'no' or 'prohibit-password' [ ] PasswordAuthentication — Should be 'no' (key-only) [ ] PermitEmptyPasswords — Must be 'no' [ ] Protocol — Should be '2' only [ ] Port — Consider non-default port [ ] AllowUsers / AllowGroups — Explicit allowlist preferred [ ] MaxAuthTries — Should be 3-5 [ ] LoginGraceTime — Should be 30-60s [ ] ClientAliveInterval — Enable session timeout [ ] X11Forwarding — Should be 'no' if unused [ ] UsePAM — Review PAM configuration
Docker/Dockerfile Audit Checklist
[ ] USER — Must not run as root; add non-root user [ ] Image tags — Must not use 'latest'; pin specific digest [ ] COPY vs ADD — Prefer COPY; ADD has implicit extraction risks [ ] Secrets — No RUN commands with passwords/tokens [ ] Multi-stage builds — Minimize attack surface [ ] HEALTHCHECK — Define health monitoring [ ] .dockerignore — Exclude .env, keys, secrets [ ] Read-only filesystem — Use --read-only where possible
Kubernetes YAML Audit Checklist
[ ] securityContext.runAsNonRoot — Must be true [ ] securityContext.readOnlyRootFilesystem — Should be true [ ] securityContext.allowPrivilegeEscalation — Must be false [ ] capabilities — Drop ALL, add only required [ ] resources.limits — CPU and memory limits required [ ] NetworkPolicy — Restrict pod-to-pod communication [ ] ServiceAccount — Disable automount if not needed [ ] secrets — Use sealed secrets or external vaults [ ] hostPID/hostIPC/hostNetwork — Must be false [ ] privileged — Must never be true in production
3. CVSS v3.1 Scoring
When the user asks to calculate CVSS or assess severity:
Claude can calculate CVSS v3.1 scores from the vector string or from a vulnerability description:
CVSS v3.1 Metrics: | Metric | Values | Description | |--------|--------|-------------| | Attack Vector (AV) | N/A/L/P | Network/Adjacent/Local/Physical | | Attack Complexity (AC) | L/H | Low/High | | Privileges Required (PR) | N/L/H | None/Low/High | | User Interaction (UI) | N/R | None/Required | | Scope (S) | U/C | Unchanged/Changed | | Confidentiality (C) | N/L/H | None/Low/High | | Integrity (I) | N/L/H | None/Low/High | | Availability (A) | N/L/H | None/Low/High |
Severity Ranges: | Score | Severity | |-------|----------| | 0.0 | None | | 0.1–3.9 | Low | | 4.0–6.9 | Medium | | 7.0–8.9 | High | | 9.0–10.0 | Critical |
Example calculation:
- Remote unauthenticated RCE:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H→ 10.0 (Critical) - Local privilege escalation:
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H→ 7.8 (High)
python scripts/cvss_calculator.py --vector "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
4. Network Vulnerability Scanning Integration
When the user provides Nmap scan results or asks to scan for vulnerabilities:
- Parse Nmap XML/grepable output for open services and versions
- Map each service+version to known CVEs
- Flag services with default credentials (check CVE/common credential lists)
- Identify critical misconfigurations (anonymous FTP, open relay, telnet, etc.)
- Provide targeted Nmap NSE script commands for deeper testing:
# Vulnerability scanning with NSE nmap -sV --script vuln -p 80,443,22,21,3389 target.com # SMB vulnerability check (EternalBlue, etc.) nmap -p 445 --script smb-vuln* target.com # SSL/TLS vulnerability check nmap -p 443 --script ssl-enum-ciphers,ssl-heartbleed,ssl-poodle target.com
5. Vulnerability Report Generation
When the user asks for a vulnerability report:
Generate reports in this structure:
# Vulnerability Assessment Report **Target:** [Target Name/IP Range] **Date:** [Date] **Scope:** [Authorized scope] **Assessor:** [Name] --- ## Executive Summary [2-3 sentences: what was tested, total findings by severity, top risk] ## Finding Summary | Severity | Count | Examples | |----------|-------|---------| | Critical | 2 | CVE-2021-44228 (Log4Shell), Unauthenticated RCE | | High | 5 | Outdated TLS, SQLi in /api/users | | Medium | 12 | Missing security headers, verbose errors | | Low | 8 | Information disclosure, weak ciphers | | Info | 15 | Version disclosure, directory listing | --- ## Findings Detail ### CRITICAL-01: [Finding Title] **CVSS:** 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H **Affected:** [Package/Service] [Version] **CVE:** [CVE-ID] **Description:** [Clear technical description] **Evidence:** [Proof the vulnerability exists] **Remediation:** Upgrade to [Package] >= [SafeVersion] **References:** [CVE link, advisory] --- ## Remediation Roadmap | Priority | Action | Effort | Risk Reduction | |----------|--------|--------|----------------| | Immediate | Patch Log4j to 2.17.1+ | Low | Critical | | This week | Upgrade express to 4.18.2 | Low | High | | This month | Enable WAF rules | Medium | Medium |
Output Standards
Always produce findings with:
- CVE ID (where applicable)
- CVSS v3.1 score and vector
- Affected version and safe version
- PoC evidence (non-destructive confirmation only)
- Remediation steps with specific version numbers
- Compliance mapping (PCI-DSS, SOC2, CIS) where relevant
Script Reference
dependency_auditor.py
python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical
config_auditor.py
python scripts/config_auditor.py --type nginx --config /etc/nginx/nginx.conf --output audit.json python scripts/config_auditor.py --type sshd --config /etc/ssh/sshd_config python scripts/config_auditor.py --type dockerfile --config Dockerfile
cvss_calculator.py
python scripts/cvss_calculator.py --vector "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" python scripts/cvss_calculator.py --interactive
Skill Integration
| Condition | Next Skill | |-----------|------------| | Vulnerabilities confirmed → develop PoC | → Skill 03 (Exploit Development) | | Vulnerabilities found → apply fixes | → Skill 15 (Blue Team Defense) | | Auto-ticket for SOC | → Skill 11 (CSOC Automation) | | Discovered during recon | ← Skill 01 (Recon & OSINT) |
References
- NVD — National Vulnerability Database
- OSV — Open Source Vulnerabilities
- CISA KEV Catalog
- CVSS v3.1 Specification
- CIS Benchmarks
- OWASP Dependency-Check
v3.0 Enhancements (2026 Update)
Risk-based prioritization beyond raw CVSS:
- CVSS 4.0 — score with the current standard (Base/Threat/Environmental/Supplemental); show the vector string and note when only v3.1 data exists.
- EPSS + CISA KEV — combine CVSS severity × EPSS exploit-probability × KEV membership. A medium-CVSS CVE that is in the CISA Known Exploited Vulnerabilities catalog or has high EPSS outranks a high-CVSS CVE with no exploitation signal. Always state "patch-first" order on this combined basis.
- SBOM + VEX — generate a CycloneDX/SPDX SBOM of the project and emit VEX statements (
affected/not_affected/fixed) so consumers know which CVEs are actually reachable. - Reachability analysis — flag whether a vulnerable function is actually called (call-graph/import reachability) to cut false-positive noise from transitive deps.
- OSV.dev — query the OSV API for ecosystem-precise advisories (PyPI, npm, Go, crates, Maven) in addition to NVD.
Output rule: every finding row carries CVSS | EPSS | KEV(Y/N) | Reachable(Y/N/Unknown) | Fix.