Vulnerability Scanning & Assessment

Vulnerability Scanning & Assessment

Purpose

Enable Claude to perform comprehensive vulnerability assessments by directly analyzing dependency files, configuration files, and scan output — then generating prioritized, actionable reports. Claude identifies vulnerabilities, calculates risk, and prescribes remediation with version specifics.

---

Activation Triggers

This skill activates when the user asks about:

• Scanning dependencies for known CVEs
• Auditing requirements.txt, package.json, go.mod, pom.xml, Cargo.toml
• Reviewing server configurations for security issues
• CVSS scoring or severity calculation
• Vulnerability assessment or security audit reports
• Checking software versions against known exploits
• Configuration hardening for nginx, Apache, SSH, Docker, Kubernetes
• NVD, OSV, or CVE database queries

---

Prerequisites

pip install requests packaging jinja2 pyyaml

Optional enhanced tools:

• nuclei — Template-based vulnerability scanner
• trivy — Container and filesystem scanner
• nmap with NSE scripts — Network vuln scanning
• openvas — Full vulnerability management

---

Core Capabilities

1. Dependency Vulnerability Auditing

Claude can directly read and analyze dependency files:

When the user asks to audit dependencies:

1. Read the dependency file using Claude's Read tool or ask the user to paste it
2. Identify package manager from file format:
   • requirements.txt / Pipfile.lock / pyproject.toml → Python/pip
   • package.json / package-lock.json / yarn.lock → Node.js/npm
   • go.mod / go.sum → Go modules
   • pom.xml / build.gradle → Java/Maven/Gradle
   • Cargo.toml / Cargo.lock → Rust/Cargo
   • Gemfile.lock → Ruby/Bundler
   • composer.lock → PHP/Composer
3. Extract exact versions for all direct and transitive dependencies
4. Query vulnerability databases — Claude can search NVD API, OSV, and GitHub Advisory Database for each package+version combination
5. Calculate CVSS v3.1 severity for each finding
6. Check for available patches — identify the minimum safe version
7. Generate prioritized remediation report

Use this command to run the automated audit:

python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json
python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical

Claude's native analysis — When running without scripts, analyze pasted dependency content directly:

• Flag packages with >= , *, or missing version pins (supply chain risk)
• Identify known high-risk packages (log4j, spring-core, struts, etc.)
• Cross-reference with CISA KEV (Known Exploited Vulnerabilities) catalog

2. Configuration Security Auditing

Claude can directly read and analyze configuration files:

When the user asks to audit a configuration:

Nginx Audit Checklist

[ ] ssl_protocols — Must NOT include SSLv2, SSLv3, TLSv1, TLSv1.1
[ ] ssl_ciphers — Must not include RC4, DES, MD5, EXPORT ciphers
[ ] server_tokens — Should be 'off' (hides version)
[ ] add_header X-Frame-Options — Required (SAMEORIGIN or DENY)
[ ] add_header X-Content-Type-Options — Required (nosniff)
[ ] add_header Strict-Transport-Security — Required (min 1 year)
[ ] add_header Content-Security-Policy — Required
[ ] autoindex — Must be 'off' (prevents directory listing)
[ ] client_max_body_size — Should be set (prevents DoS)
[ ] access_log / error_log — Must be enabled

SSH (sshd_config) Audit Checklist

[ ] PermitRootLogin — Should be 'no' or 'prohibit-password'
[ ] PasswordAuthentication — Should be 'no' (key-only)
[ ] PermitEmptyPasswords — Must be 'no'
[ ] Protocol — Should be '2' only
[ ] Port — Consider non-default port
[ ] AllowUsers / AllowGroups — Explicit allowlist preferred
[ ] MaxAuthTries — Should be 3-5
[ ] LoginGraceTime — Should be 30-60s
[ ] ClientAliveInterval — Enable session timeout
[ ] X11Forwarding — Should be 'no' if unused
[ ] UsePAM — Review PAM configuration

Docker/Dockerfile Audit Checklist

[ ] USER — Must not run as root; add non-root user
[ ] Image tags — Must not use 'latest'; pin specific digest
[ ] COPY vs ADD — Prefer COPY; ADD has implicit extraction risks
[ ] Secrets — No RUN commands with passwords/tokens
[ ] Multi-stage builds — Minimize attack surface
[ ] HEALTHCHECK — Define health monitoring
[ ] .dockerignore — Exclude .env, keys, secrets
[ ] Read-only filesystem — Use --read-only where possible

Kubernetes YAML Audit Checklist

[ ] securityContext.runAsNonRoot — Must be true
[ ] securityContext.readOnlyRootFilesystem — Should be true
[ ] securityContext.allowPrivilegeEscalation — Must be false
[ ] capabilities — Drop ALL, add only required
[ ] resources.limits — CPU and memory limits required
[ ] NetworkPolicy — Restrict pod-to-pod communication
[ ] ServiceAccount — Disable automount if not needed
[ ] secrets — Use sealed secrets or external vaults
[ ] hostPID/hostIPC/hostNetwork — Must be false
[ ] privileged — Must never be true in production

3. CVSS v3.1 Scoring

When the user asks to calculate CVSS or assess severity:

Claude can calculate CVSS v3.1 scores from the vector string or from a vulnerability description:

CVSS v3.1 Metrics:

Metric	Values	Description
Attack Vector (AV)	N/A/L/P	Network/Adjacent/Local/Physical
Attack Complexity (AC)	L/H	Low/High
Privileges Required (PR)	N/L/H	None/Low/High
User Interaction (UI)	N/R	None/Required
Scope (S)	U/C	Unchanged/Changed
Confidentiality (C)	N/L/H	None/Low/High
Integrity (I)	N/L/H	None/Low/High
Availability (A)	N/L/H	None/Low/High

Severity Ranges:

Score	Severity
0.0	None
0.1–3.9	Low
4.0–6.9	Medium
7.0–8.9	High
9.0–10.0	Critical

Example calculation:

• Remote unauthenticated RCE: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H → 10.0 (Critical)
• Local privilege escalation: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H → 7.8 (High)

python scripts/cvss_calculator.py --vector "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"

4. Network Vulnerability Scanning Integration

When the user provides Nmap scan results or asks to scan for vulnerabilities:

1. Parse Nmap XML/grepable output for open services and versions
2. Map each service+version to known CVEs
3. Flag services with default credentials (check CVE/common credential lists)
4. Identify critical misconfigurations (anonymous FTP, open relay, telnet, etc.)
5. Provide targeted Nmap NSE script commands for deeper testing:

# Vulnerability scanning with NSE
nmap -sV --script vuln -p 80,443,22,21,3389 target.com

# SMB vulnerability check (EternalBlue, etc.)
nmap -p 445 --script smb-vuln* target.com

# SSL/TLS vulnerability check
nmap -p 443 --script ssl-enum-ciphers,ssl-heartbleed,ssl-poodle target.com

5. Vulnerability Report Generation

When the user asks for a vulnerability report:

Generate reports in this structure:

# Vulnerability Assessment Report
**Target:** [Target Name/IP Range]
**Date:** [Date]
**Scope:** [Authorized scope]
**Assessor:** [Name]

---

## Executive Summary
[2-3 sentences: what was tested, total findings by severity, top risk]

## Finding Summary
| Severity | Count | Examples |
|----------|-------|---------|
| Critical | 2 | CVE-2021-44228 (Log4Shell), Unauthenticated RCE |
| High | 5 | Outdated TLS, SQLi in /api/users |
| Medium | 12 | Missing security headers, verbose errors |
| Low | 8 | Information disclosure, weak ciphers |
| Info | 15 | Version disclosure, directory listing |

---

## Findings Detail

### CRITICAL-01: [Finding Title]
**CVSS:** 9.8 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
**Affected:** [Package/Service] [Version]
**CVE:** [CVE-ID]
**Description:** [Clear technical description]
**Evidence:** [Proof the vulnerability exists]
**Remediation:** Upgrade to [Package] >= [SafeVersion]
**References:** [CVE link, advisory]

---

## Remediation Roadmap
| Priority | Action | Effort | Risk Reduction |
|----------|--------|--------|----------------|
| Immediate | Patch Log4j to 2.17.1+ | Low | Critical |
| This week | Upgrade express to 4.18.2 | Low | High |
| This month | Enable WAF rules | Medium | Medium |

---

Output Standards

Always produce findings with:

• CVE ID (where applicable)
• CVSS v3.1 score and vector
• Affected version and safe version
• PoC evidence (non-destructive confirmation only)
• Remediation steps with specific version numbers
• Compliance mapping (PCI-DSS, SOC2, CIS) where relevant

---

Script Reference

dependency_auditor.py

python scripts/dependency_auditor.py --project-dir ./myapp --format json --output audit.json
python scripts/dependency_auditor.py --requirements requirements.txt --severity high,critical

config_auditor.py

python scripts/config_auditor.py --type nginx --config /etc/nginx/nginx.conf --output audit.json
python scripts/config_auditor.py --type sshd --config /etc/ssh/sshd_config
python scripts/config_auditor.py --type dockerfile --config Dockerfile

cvss_calculator.py

python scripts/cvss_calculator.py --vector "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
python scripts/cvss_calculator.py --interactive

---

Skill Integration

Condition	Next Skill
Vulnerabilities confirmed → develop PoC	→ Skill 03 (Exploit Development)
Vulnerabilities found → apply fixes	→ Skill 15 (Blue Team Defense)
Auto-ticket for SOC	→ Skill 11 (CSOC Automation)
Discovered during recon	← Skill 01 (Recon & OSINT)

---

References

• NVD — National Vulnerability Database
• OSV — Open Source Vulnerabilities
• CISA KEV Catalog
• CVSS v3.1 Specification
• CIS Benchmarks
• OWASP Dependency-Check

---

v3.0 Enhancements (2026 Update)

Risk-based prioritization beyond raw CVSS:

• CVSS 4.0 — score with the current standard (Base/Threat/Environmental/Supplemental); show the vector string and note when only v3.1 data exists.
• EPSS + CISA KEV — combine CVSS severity × EPSS exploit-probability × KEV membership. A medium-CVSS CVE that is in the CISA Known Exploited Vulnerabilities catalog or has high EPSS outranks a high-CVSS CVE with no exploitation signal. Always state "patch-first" order on this combined basis.
• SBOM + VEX — generate a CycloneDX/SPDX SBOM of the project and emit VEX statements (affected / not_affected / fixed) so consumers know which CVEs are actually reachable.
• Reachability analysis — flag whether a vulnerable function is actually called (call-graph/import reachability) to cut false-positive noise from transitive deps.
• OSV.dev — query the OSV API for ecosystem-precise advisories (PyPI, npm, Go, crates, Maven) in addition to NVD.

Output rule: every finding row carries CVSS | EPSS | KEV(Y/N) | Reachable(Y/N/Unknown) | Fix.

Added references

• CISA KEV Catalog
• FIRST EPSS · OSV.dev · CVSS 4.0