Vulnerability Scanner

# Vulnerability Scanner

Advanced vulnerability analysis for OWASP 2025, supply chain security, attack surface mapping, and risk prioritization.

## Description

USE WHEN:
- Auditing code for security vulnerabilities
- Reviewing dependencies for supply chain risks  
- Scanning for hardcoded secrets or credentials
- Identifying dangerous code patterns (injection, XSS, deserialization)
- Preparing for security audits or penetration tests
- Prioritizing vulnerability remediation by risk

DON'T USE WHEN:
- Need runtime dynamic analysis (use actual pentest tools)
- Scanning compiled binaries (this is source-code focused)
- Need compliance-specific audits (PCI-DSS, HIPAA have dedicated tools)

## Scripts

| Script | Purpose | Usage |
|--------|---------|-------|
| `scripts/security_scan.py` | Full security scan | `python scripts/security_scan.py <path> [--scan-type all\|deps\|secrets\|patterns\|config]` |

### Quick Start

```bash
# Full scan
python scripts/security_scan.py /path/to/project

# Just check for secrets
python scripts/security_scan.py /path/to/project --scan-type secrets

# Summary output
python scripts/security_scan.py /path/to/project --output summary
```

## Reference Files

| File | Purpose |
|------|---------|
| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |

---

## 1. Security Expert Mindset

### Core Principles

| Principle | Application |
|-----------|-------------|
| **Assume Breach** | Design as if attacker already inside |
| **Zero Trust** | Never trust, always verify |
| **Defense in Depth** | Multiple layers, no single point |
| **Least Privilege** | Minimum required access only |
| **Fail Secure** | On error, deny access |

### Threat Modeling Questions

Before scanning, ask:
1. What are we protecting? (Assets)
2. Who would attack? (Threat actors)
3. How would they attack? (Attack vectors)
4. What's the impact? (Business risk)

---

## 2. OWASP Top 10:2025

### Risk Categories

| Rank | Category | Think A...