static-vulnerability-detector
Scans source code for security vulnerabilities by applying Project CodeGuard rules — injection, unsafe deserialization, XSS, path traversal, broken access control. Use when performing a security audit, when reviewing a PR that touches request handlers or database queries, when the user asks for a vulnerability scan, or when wiring security checks into CI.
Install with Tessl CLI
npx tessl i github:santosomar/general-secure-coding-agent-skills --skill static-vulnerability-detector89
Quality
86%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Static Vulnerability Detector
This skill delegates to Project CodeGuard — the CoSAI open-source, model-agnostic security framework. Rather than maintaining a parallel vulnerability taxonomy, it dispatches to CodeGuard's rule set by language and sink class.
Upstream: https://github.com/cosai-oasis/project-codeguard/tree/main/skills/software-security
Dispatch
Given the language of the code under review, apply these CodeGuard rules:
| Finding class | CodeGuard rule |
|---|---|
| SQL/NoSQL/LDAP/OS-command injection | codeguard-0-input-validation-injection |
| XXE, unsafe deserialization | codeguard-0-xml-and-serialization |
| XSS, DOM sinks, CSP, CSRF | codeguard-0-client-side-web-security |
| Path traversal, upload validation | codeguard-0-file-handling-and-uploads |
| IDOR, missing authz, mass assignment | codeguard-0-authorization-access-control |
| SSRF, missing authn, rate limits | codeguard-0-api-web-services |
For the full language→rules table, see the upstream SKILL.md. Always-apply rules (codeguard-1-hardcoded-credentials, codeguard-1-crypto-algorithms, codeguard-1-digital-certificates) run regardless of language.
Workflow
- Detect the language(s) in scope.
- Load the CodeGuard rules from the dispatch table above.
- Apply each rule's detection patterns; emit findings in the rule's prescribed format (CWE, severity, source→sink trace, remediation).
- Surface which CodeGuard rules fired in the final report.
- Commit
47d56bb
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.