Universal vulnerability detection patterns applicable across all programming languages. Includes hardcoded secrets, SQL/command injection, path traversal, and configuration file patterns.
This skill inherits all available tools. When active, it can use any tool Claude has access to.
Universal security patterns applicable to all programming languages.
Detection Pattern:
# API Keys
(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]
# AWS Keys
(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}
# Private Keys
-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
# Generic Secrets
(?i)(password|secret|token|credential)s?\s*[:=]\s*['"][^'"]{8,}['"]
# JWT Secrets
(?i)(jwt[_-]?secret|signing[_-]?key)\s*[:=]\s*['"][^'"]+['"]
Grep Commands:
# API keys
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(api[_-]?key|apikey)\s*[:=]\s*['\"][a-zA-Z0-9]{16,}['\"]" .
# AWS keys
grep -rn -E "AKIA[A-Z0-9]{16}" .
# Private keys
grep -rn "BEGIN.*PRIVATE KEY" .
# Password assignments
grep -rn --include="*.{js,ts,py,java,go,rb}" -E "(password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" .
Severity: High ASVS: V13.3.1 - Secrets not in version control CWE: CWE-798 (Hardcoded Credentials)
Detection Pattern:
# String concatenation in queries
(?i)(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE).*\+\s*[a-zA-Z_]+
# f-string/template queries
(?i)f['"](SELECT|INSERT|UPDATE|DELETE).*\{
# Format string queries
(?i)(SELECT|INSERT|UPDATE|DELETE).*%\s*\(
# String interpolation
(?i)(SELECT|INSERT|UPDATE|DELETE).*\$\{
Grep Commands:
# Python f-string SQL
grep -rn --include="*.py" -E "f['\"]SELECT.*\{|f['\"]INSERT.*\{|f['\"]UPDATE.*\{|f['\"]DELETE.*\{" .
# JavaScript template SQL
grep -rn --include="*.{js,ts}" -E "\`SELECT.*\$\{|\`INSERT.*\$\{|\`UPDATE.*\$\{|\`DELETE.*\$\{" .
# String concatenation SQL (all languages)
grep -rn -E "(SELECT|INSERT|UPDATE|DELETE).*\+.*\+" .
Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)
Detection Pattern:
# Shell execution with variables
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\+
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*\$\{
(?i)(os\.system|subprocess\.call|exec|shell_exec|system)\s*\([^)]*f['"]
# Dangerous shell=True
subprocess\.[a-z]+\([^)]*shell\s*=\s*True
Grep Commands:
# Python os.system
grep -rn --include="*.py" -E "os\.system\s*\(.*\+" .
# Python subprocess shell=True
grep -rn --include="*.py" "shell\s*=\s*True" .
# Node.js exec
grep -rn --include="*.{js,ts}" -E "exec\s*\(.*\+" .
# PHP system calls
grep -rn --include="*.php" -E "(system|exec|shell_exec|passthru)\s*\(" .
Severity: Critical ASVS: V1.2.3 - OS command injection prevention CWE: CWE-78 (OS Command Injection)
Detection Pattern:
# Direct path concatenation
(?i)(open|read|write|file|path)\s*\([^)]*\+.*\)
(?i)(open|read|write|file|path)\s*\([^)]*\$\{.*\)
# No path validation
os\.path\.join\s*\([^)]*,[^)]*\)(?!.*resolve|.*is_relative)
Grep Commands:
# Python file operations with variables
grep -rn --include="*.py" -E "open\s*\(.*\+" .
# Node.js file operations
grep -rn --include="*.{js,ts}" -E "(readFile|writeFile|createReadStream)\s*\(.*\+" .
# Check for missing path validation
grep -rn --include="*.py" "os\.path\.join" . | grep -v "resolve\|is_relative"
Severity: High ASVS: V5.4.1 - Path traversal prevention CWE: CWE-22 (Path Traversal)
Detection Pattern:
# Sensitive keys in .env
(?i)(password|secret|token|api[_-]?key|private[_-]?key)\s*=\s*[^\s]+
Grep Commands:
grep -rn -E "(?i)(password|secret|token|api.?key)=" .env* 2>/dev/null
Severity: High ASVS: V13.3.1 - Secrets management CWE: CWE-798 (Hardcoded Credentials)
Detection Pattern:
# Privileged mode
--privileged
privileged:\s*true
# Running as root
USER\s+root
# Exposed secrets
ENV\s+(PASSWORD|SECRET|API_KEY|TOKEN)\s*=
Grep Commands:
grep -rn "privileged" Dockerfile docker-compose.yml 2>/dev/null
grep -rn "USER root" Dockerfile 2>/dev/null
grep -rn -E "ENV.*(PASSWORD|SECRET|API_KEY)" Dockerfile 2>/dev/null
Severity: High ASVS: V13.2.1 - Secure configuration CWE: CWE-250 (Excessive Privilege)
Use this script for rapid vulnerability detection:
#!/bin/bash
# quick-security-scan.sh
echo "=== Quick Security Scan ==="
echo -e "\n[1] Hardcoded Secrets"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(api[_-]?key|password|secret)\s*[:=]\s*['\"][^'\"]{8,}['\"]" . 2>/dev/null | head -20
echo -e "\n[2] SQL Injection Patterns"
grep -rn --include="*.{js,ts,py,java,go,rb,php}" -E "(SELECT|INSERT|UPDATE|DELETE).*\+" . 2>/dev/null | head -20
echo -e "\n[3] Command Injection"
grep -rn --include="*.py" "shell\s*=\s*True" . 2>/dev/null
grep -rn --include="*.{js,ts}" -E "exec\s*\(|spawn\s*\(" . 2>/dev/null | head -10
echo -e "\n[4] Unsafe Deserialization"
grep -rn --include="*.py" "pickle\.load\|yaml\.load" . 2>/dev/null
grep -rn --include="*.java" "ObjectInputStream\|readObject" . 2>/dev/null
echo -e "\n[5] Weak Cryptography"
grep -rn --include="*.{py,java,go}" -E "md5|sha1|DES|RC4" . 2>/dev/null | head -10
echo -e "\n[6] Debug/Dev Settings"
grep -rn --include="*.py" "DEBUG\s*=\s*True" . 2>/dev/null
grep -rn "NODE_ENV.*development" . 2>/dev/null
echo -e "\n=== Scan Complete ==="
When using these patterns in PreToolUse hooks:
| Severity | Action | Response Time |
|---|---|---|
| Critical | Block | Immediate |
| High | Block/Warn | Immediate |
| Medium | Warn | Deferred |
| Low | Log | Async |
vuln-patterns-languages - Language-specific patternsremediation-injection - SQL/command injection fixesremediation-auth - Secrets management fixes