Security Scanning and Vulnerability Testing

Your dependency audit shows 14 high-severity vulnerabilities, three of which are in packages you import directly and eleven are transitive. The security team wants a remediation plan by Friday. You could spend two days reading CVE reports and tracing dependency chains, or you could have an AI tool analyze the entire dependency tree, assess which vulnerabilities are actually exploitable in your codebase, and generate a prioritized fix plan in 30 minutes.

What You’ll Walk Away With

• Automated OWASP Top 10 scanning workflows integrated into your development cycle
• Dependency vulnerability auditing with AI-assisted risk assessment
• Prompt patterns for security-focused code review that catch real threats
• CI pipeline integration for continuous security scanning
• Penetration testing patterns that developers can run without security expertise

OWASP Top 10 Automated Scanning

Tip

Copy-paste prompt for OWASP scanning:

Perform a security audit of /src/api/ against the OWASP Top 10 (2021):

For each vulnerability category, check EVERY file in the directory:

A01 Broken Access Control:
- Are all routes protected by authentication middleware?
- Do endpoints check authorization (not just authentication)?
- Can users access other users' resources by changing IDs in the URL?

A02 Cryptographic Failures:
- Are passwords hashed with bcrypt/argon2 (not MD5/SHA1)?
- Are API tokens generated with cryptographically secure randomness?
- Is sensitive data encrypted at rest in the database?

A03 Injection:
- Are ALL database queries parameterized (no string concatenation)?
- Is user input validated and sanitized before processing?
- Are file paths validated to prevent path traversal?

For each finding, provide:
- Severity: Critical / High / Medium / Low
- Exact file and line number
- The vulnerable code snippet
- A concrete fix (not generic advice)
- A test case that would catch this vulnerability

Dependency Vulnerability Management

Cursor

Audit our project dependencies for security vulnerabilities:

1. Run npm audit and analyze the results
2. For each high/critical vulnerability:
   - Is it in a direct dependency or transitive?
   - Is the vulnerable code path actually reachable in our application?
   - What is the fix (upgrade, replace, or accept risk)?
3. Create a prioritized remediation plan:
   - P0: Exploitable in our code, fix immediately
   - P1: Potentially exploitable, fix this sprint
   - P2: Not exploitable but should fix for hygiene
   - P3: Accept risk with documentation

Check package-lock.json for the full dependency tree.
Show the upgrade path for each fixable vulnerability.

Claude Code

claude "Run a complete dependency security audit:
1. Execute: npm audit --json > /tmp/audit.json
2. Analyze the results and categorize by exploitability
3. For each critical/high finding, check if our code actually calls
   the vulnerable function (trace the import chain)
4. Generate a fix script that upgrades safe dependencies
5. For breaking upgrades, document what changes are needed
6. Create a summary report in /docs/security-audit.md

Run the fix script after generating it. Verify the build still passes."

Codex

The audit prompt is the same as the others — only the surface differs. Run it headless in CI with codex exec, or kick it off as a Codex Cloud task that opens a PR with the fixes:

codex exec --sandbox workspace-write \
  "Perform a dependency security audit:
  1. Run: npm audit --json
  2. Trace each high/critical vuln to determine if it's reachable in our code
  3. Generate safe dependency upgrades and apply them
  4. Run the test suite after upgrades to verify nothing broke
  5. Write an audit report to docs/security-audit.md

  Prioritize exploitable vulnerabilities over theoretical ones."

On the Cloud/IDE surface, point the same task at a branch and let Codex open the remediation PR for review.

Note

For AST-level static analysis instead of prompt-only review, add the Semgrep MCP server (GitHub: semgrep/mcp). It lets the agent run real Semgrep rules against your diff — catching taint flows and injection sinks that a prompt scan misses — then you tune the rule set before gating CI on it. It’s a remote/Python server (run via uvx semgrep-mcp or the hosted endpoint), not an npm package, and works identically across Cursor, Claude Code, and Codex. Prefer the prompt-only approach for a quick triage; reach for Semgrep MCP when you want repeatable, rule-based scanning. A lighter alternative is the semgrep Agent Skill (npx skills add trailofbits/skills), which teaches the agent to drive the Semgrep CLI without a persistent server connection.

Security-Focused Code Review

Tip

Copy-paste prompt for security code review:

Review this pull request as a security engineer. You are looking for vulnerabilities
that could be exploited by a malicious user, not code style issues.

Check specifically for:
1. SQL injection: Any query built with string concatenation or template literals?
2. XSS: Any user input rendered without escaping?
3. CSRF: Any state-changing endpoint missing CSRF protection?
4. Auth bypass: Any endpoint that checks authentication but not authorization?
5. IDOR: Can a user access resources by guessing/iterating IDs?
6. Mass assignment: Are request bodies validated or passed directly to the database?
7. Rate limiting: Are sensitive endpoints (login, password reset) rate-limited?
8. Information disclosure: Do error responses leak internal details?
9. File upload: Are uploaded files validated for type, size, and content?
10. Secrets: Are any API keys, tokens, or credentials hardcoded?

For each finding, rate the severity and provide an exploit scenario:
"An attacker could... by sending this request: ..."

CI Pipeline Security Integration

Cursor

Use Background Agent to run security checks before pushing:

Before I push this branch, run a security checklist:
1. npm audit - any new vulnerabilities introduced?
2. Check the diff for hardcoded secrets (API keys, passwords, tokens)
3. Verify all new API endpoints have authentication middleware
4. Check that no new SQL queries use string interpolation
5. Verify new dependencies are from trusted publishers

If any check fails, tell me what to fix before pushing.

Claude Code

Integrate into CI with headless mode:

.github/workflows/security.yml

security-scan:
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
    - run: npm ci
    - name: Dependency audit
      run: npm audit --audit-level=high
    - name: Secret scanning
      run: |
        claude -p --output-format json \
        --json-schema '{"type":"object","properties":{"found":{"type":"boolean"},"secrets":{"type":"array","items":{"type":"object","properties":{"type":{"type":"string"},"file":{"type":"string"},"line":{"type":"integer"}}}}},"required":["found","secrets"]}' \
        "Scan the git diff for secrets, credentials, or API keys:
        $(git diff origin/main...HEAD)
        Check for: AWS keys (AKIA), GitHub tokens (ghp_), generic API keys,
        passwords in config files, private keys, connection strings with passwords." \
        | jq -e '.found == false'
    - name: Security review
      run: |
        claude -p --output-format json \
        "Review changed files for security vulnerabilities:
        $(git diff --name-only origin/main...HEAD)
        Focus on: injection, auth bypass, IDOR, XSS.
        Output a JSON array of findings with severity ratings."

Using --output-format json (and --json-schema for the secret scan) gives your CI wrapper schema-validated output to gate on with jq, rather than trusting the model to format a fenced object inline.

Codex

In Codex Cloud, configure a review automation that runs on every PR — it reviews the diff and posts findings as PR comments with severity labels, no wrapper script needed. For a self-hosted runner, mirror the Claude Code job with a headless codex exec:

# .github/workflows/security.yml (Codex variant)
- name: Codex security review
  run: |
    codex exec --sandbox read-only --json \
      --output-schema .github/sec-schema.json \
      "Review the changed files ($(git diff --name-only origin/main...HEAD))
      for injection, auth bypass, IDOR, XSS, and hardcoded secrets.
      Return findings with severity ratings." \
      | jq -e 'all(.findings[]; .severity != "critical")'

The prompt is identical to the Claude Code job; only the CLI surface and the schema flag (--output-schema vs --json-schema) differ.

Penetration Testing Patterns

Tip

Copy-paste prompt for API penetration testing:

Generate penetration test cases for our REST API. For each endpoint in /src/api/routes/:

1. Authentication bypass:
   - Send requests without Authorization header
   - Send expired/malformed JWT tokens
   - Send tokens from a different user

2. Authorization testing:
   - Access admin endpoints with regular user token
   - Access other users' resources by changing IDs
   - Try privilege escalation by modifying role in the request body

3. Input validation:
   - Send oversized payloads (> 1MB body)
   - Send malformed JSON
   - Send unexpected types (number where string expected)
   - Send SQL injection payloads in every string field
   - Send XSS payloads in every string field

4. Rate limiting:
   - Send 100 requests in 1 second to login endpoint
   - Verify rate limit headers are returned
   - Verify the limit actually blocks requests

Generate as a Playwright API test suite with clear pass/fail criteria.
Save to /tests/security/api-pentest.spec.ts

When This Breaks

“npm audit shows vulnerabilities but we cannot upgrade without breaking changes.” Use npm audit --omit=dev to filter to production dependencies only. For transitive vulnerabilities, check if the vulnerable path is reachable. Use npm audit fix --force with caution and a solid test suite as your safety net.

“Security scans produce too many false positives.” Tune your scanning rules. Exclude test files, mock data, and documentation from security scans. Customize the AI prompt to “only report vulnerabilities that could be exploited with a concrete attack scenario, not theoretical issues.”

“Developers resist security testing because it slows them down.” Make security scanning invisible. Run it in CI, not as a manual step. Only block PRs for critical and high severity issues. Let medium and low severity accumulate in a security backlog reviewed monthly.

“We do not have security expertise on the team.” This is exactly where AI shines. The prompts in this guide encode security expertise into a repeatable process. Start with the OWASP Top 10 scan and dependency audit — these catch the most common vulnerabilities with minimal expertise required.

What’s Next

Security Compliance Enterprise security standards and regulatory compliance.

CI/CD Pipelines Integrate security gates into your deployment pipeline.

API Testing Functional API testing alongside security testing.