Security Scanning and Vulnerability Testing

Your dependency audit shows 14 high-severity vulnerabilities, three of which are in packages you import directly and eleven are transitive. The security team wants a remediation plan by Friday. You could spend two days reading CVE reports and tracing dependency chains, or you could have an AI tool analyze the entire dependency tree, assess which vulnerabilities are actually exploitable in your codebase, and generate a prioritized fix plan in 30 minutes.

What You’ll Walk Away With

• Automated OWASP Top 10 scanning workflows integrated into your development cycle
• Dependency vulnerability auditing with AI-assisted risk assessment
• Prompt patterns for security-focused code review that catch real threats
• CI pipeline integration for continuous security scanning
• Penetration testing patterns that developers can run without security expertise

OWASP Top 10 Automated Scanning

Tip

Copy-paste prompt for OWASP scanning:

Perform a security audit of /src/api/ against the OWASP Top 10 (2021):

For each vulnerability category, check EVERY file in the directory:

A01 Broken Access Control:
- Are all routes protected by authentication middleware?
- Do endpoints check authorization (not just authentication)?
- Can users access other users' resources by changing IDs in the URL?

A02 Cryptographic Failures:
- Are passwords hashed with bcrypt/argon2 (not MD5/SHA1)?
- Are API tokens generated with cryptographically secure randomness?
- Is sensitive data encrypted at rest in the database?

A03 Injection:
- Are ALL database queries parameterized (no string concatenation)?
- Is user input validated and sanitized before processing?
- Are file paths validated to prevent path traversal?

For each finding, provide:
- Severity: Critical / High / Medium / Low
- Exact file and line number
- The vulnerable code snippet
- A concrete fix (not generic advice)
- A test case that would catch this vulnerability

Dependency Vulnerability Management

Cursor

Audit our project dependencies for security vulnerabilities:

1. Run npm audit and analyze the results
2. For each high/critical vulnerability:
   - Is it in a direct dependency or transitive?
   - Is the vulnerable code path actually reachable in our application?
   - What is the fix (upgrade, replace, or accept risk)?
3. Create a prioritized remediation plan:
   - P0: Exploitable in our code, fix immediately
   - P1: Potentially exploitable, fix this sprint
   - P2: Not exploitable but should fix for hygiene
   - P3: Accept risk with documentation

Check package-lock.json for the full dependency tree.
Show the upgrade path for each fixable vulnerability.

Claude Code

claude "Run a complete dependency security audit:
1. Execute: npm audit --json > /tmp/audit.json
2. Analyze the results and categorize by exploitability
3. For each critical/high finding, check if our code actually calls
   the vulnerable function (trace the import chain)
4. Generate a fix script that upgrades safe dependencies
5. For breaking upgrades, document what changes are needed
6. Create a summary report in /docs/security-audit.md

Run the fix script after generating it. Verify the build still passes."

Codex

Perform a dependency security audit:
1. Analyze all dependencies for known vulnerabilities
2. Trace each vulnerability to determine if it's reachable in our code
3. Generate safe dependency upgrades
4. Run the test suite after upgrades to verify nothing broke
5. Create a PR with the fixes and an audit report

Prioritize exploitable vulnerabilities over theoretical ones.

Security-Focused Code Review

Tip

Copy-paste prompt for security code review:

Review this pull request as a security engineer. You are looking for vulnerabilities
that could be exploited by a malicious user, not code style issues.

Check specifically for:
1. SQL injection: Any query built with string concatenation or template literals?
2. XSS: Any user input rendered without escaping?
3. CSRF: Any state-changing endpoint missing CSRF protection?
4. Auth bypass: Any endpoint that checks authentication but not authorization?
5. IDOR: Can a user access resources by guessing/iterating IDs?
6. Mass assignment: Are request bodies validated or passed directly to the database?
7. Rate limiting: Are sensitive endpoints (login, password reset) rate-limited?
8. Information disclosure: Do error responses leak internal details?
9. File upload: Are uploaded files validated for type, size, and content?
10. Secrets: Are any API keys, tokens, or credentials hardcoded?

For each finding, rate the severity and provide an exploit scenario:
"An attacker could... by sending this request: ..."

CI Pipeline Security Integration

Cursor

Use Background Agent to run security checks before pushing:

Before I push this branch, run a security checklist:
1. npm audit - any new vulnerabilities introduced?
2. Check the diff for hardcoded secrets (API keys, passwords, tokens)
3. Verify all new API endpoints have authentication middleware
4. Check that no new SQL queries use string interpolation
5. Verify new dependencies are from trusted publishers

If any check fails, tell me what to fix before pushing.

Claude Code

Integrate into CI with headless mode:

.github/workflows/security.yml

security-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - run: npm ci
    - name: Dependency audit
      run: npm audit --audit-level=high
    - name: Secret scanning
      run: |
        claude -p "Scan the git diff for secrets, credentials, or API keys:
        $(git diff origin/main...HEAD)
        Check for: AWS keys (AKIA), GitHub tokens (ghp_), generic API keys,
        passwords in config files, private keys, connection strings with passwords.
        Output JSON: {found: boolean, secrets: [{type, file, line}]}
        Exit 1 if any secrets found."
    - name: Security review
      run: |
        claude -p "Review changed files for security vulnerabilities:
        $(git diff --name-only origin/main...HEAD)
        Focus on: injection, auth bypass, IDOR, XSS.
        Output JSON with severity ratings. Exit 1 if critical issues found."

Codex

Configure Codex for automated security review on PRs:

When reviewing PRs, check for security issues:
1. Scan changed files for common vulnerability patterns
2. Check new dependencies against vulnerability databases
3. Verify authentication on new endpoints
4. Flag any secrets or credentials in the diff
5. Post findings as PR review comments with severity labels

Penetration Testing Patterns

Tip

Copy-paste prompt for API penetration testing:

Generate penetration test cases for our REST API. For each endpoint in /src/api/routes/:

1. Authentication bypass:
   - Send requests without Authorization header
   - Send expired/malformed JWT tokens
   - Send tokens from a different user

2. Authorization testing:
   - Access admin endpoints with regular user token
   - Access other users' resources by changing IDs
   - Try privilege escalation by modifying role in the request body

3. Input validation:
   - Send oversized payloads (> 1MB body)
   - Send malformed JSON
   - Send unexpected types (number where string expected)
   - Send SQL injection payloads in every string field
   - Send XSS payloads in every string field

4. Rate limiting:
   - Send 100 requests in 1 second to login endpoint
   - Verify rate limit headers are returned
   - Verify the limit actually blocks requests

Generate as a Playwright API test suite with clear pass/fail criteria.
Save to /tests/security/api-pentest.spec.ts

When This Breaks

“npm audit shows vulnerabilities but we cannot upgrade without breaking changes.” Use npm audit --omit=dev to filter to production dependencies only. For transitive vulnerabilities, check if the vulnerable path is reachable. Use npm audit fix --force with caution and a solid test suite as your safety net.

“Security scans produce too many false positives.” Tune your scanning rules. Exclude test files, mock data, and documentation from security scans. Customize the AI prompt to “only report vulnerabilities that could be exploited with a concrete attack scenario, not theoretical issues.”

“Developers resist security testing because it slows them down.” Make security scanning invisible. Run it in CI, not as a manual step. Only block PRs for critical and high severity issues. Let medium and low severity accumulate in a security backlog reviewed monthly.

“We do not have security expertise on the team.” This is exactly where AI shines. The prompts in this guide encode security expertise into a repeatable process. Start with the OWASP Top 10 scan and dependency audit — these catch the most common vulnerabilities with minimal expertise required.

What’s Next

Security Compliance Enterprise security standards and regulatory compliance.

CI/CD Pipelines Integrate security gates into your deployment pipeline.

API Testing Functional API testing alongside security testing.