# Security Scan Report --- ## Header **Project:** [Name of the project or directory that was scanned] **Scan timestamp:** [ISO 8601 — e.g. 2026-02-19T14:03:22Z] **Scope:** [Absolute or relative path(s) passed to the scan command — e.g. `./plugins/llm-security` or `**/*.md, hooks/`] **Scan type:** [One of: full | secrets | injection | permissions | mcp | supply-chain] **Triggered by:** [Command invocation string — e.g. `/security scan ./plugins`] --- ## Executive Summary | Field | Value | |-------|-------| | Verdict | [ALLOW / WARNING / BLOCK] | | Risk score | [0–100 integer] | | Critical findings | [count] | | High findings | [count] | | Medium findings | [count] | | Low findings | [count] | | Info findings | [count] | | Files scanned | [count] | | Scan duration | [e.g. 4.2 s] | **Verdict rationale:** [1–2 sentences explaining why this verdict was chosen. BLOCK = at least one Critical; WARNING = High or multiple Medium; ALLOW = Low/Info only.] --- ## Findings Findings are sorted Critical → High → Medium → Low → Info within each section. Each finding ID is formatted `SCN-[NNN]` (e.g. `SCN-001`). ### Critical > No Critical findings — omit this section if empty. | ID | Category | File / Location | Line | Description | |----|----------|-----------------|------|-------------| | SCN-001 | [Category — see list below] | [path/to/file.md] | [L42] | [Short description of the issue] | **SCN-001 Detail** - **Severity:** Critical - **Category:** [Secrets / Injection / Permissions / Supply Chain / MCP Trust / Destructive / Output Handling / Other] - **File:** [Full relative path] - **Line(s):** [Line range or N/A] - **OWASP LLM Reference:** [e.g. LLM02:2025 Sensitive Information Disclosure] - **Description:** [Full explanation of what was found and why it is a risk] - **Evidence:** [Exact excerpt or pattern that triggered the finding — redact actual secret values] - **Remediation:** [Concrete, actionable fix with example if applicable] --- ### High > No High findings — omit this section if empty. | ID | Category | File / Location | Line | Description | |----|----------|-----------------|------|-------------| | SCN-002 | [Category] | [path/to/file.md] | [L17] | [Short description] | **SCN-002 Detail** - **Severity:** High - **Category:** [Category] - **File:** [path] - **Line(s):** [range] - **OWASP LLM Reference:** [reference] - **Description:** [explanation] - **Evidence:** [excerpt] - **Remediation:** [fix] --- ### Medium > No Medium findings — omit this section if empty. | ID | Category | File / Location | Line | Description | |----|----------|-----------------|------|-------------| | SCN-003 | [Category] | [path/to/file.md] | [L5] | [Short description] | *(Follow same detail block format as Critical/High above)* --- ### Low > No Low findings — omit this section if empty. | ID | Category | File / Location | Line | Description | |----|----------|-----------------|------|-------------| | SCN-004 | [Category] | [path/to/file.md] | [L88] | [Short description] | *(Follow same detail block format)* --- ### Info > Informational observations that do not require immediate action. | ID | Category | File / Location | Observation | |----|----------|-----------------|-------------| | SCN-005 | [Category] | [path/to/file.md] | [Observation] | --- ## Supply Chain Assessment > Include this section when scan type is `supply-chain`, `mcp`, or `full`. > Omit for narrow scans (e.g. secrets-only). | Component | Type | Source | Trust score | Notes | |-----------|------|--------|-------------|-------| | [plugin-name / mcp-server-name] | [Plugin / MCP / Hook] | [URL or local path] | [0–10] | [Verification status] | **Source verification:** [Were sources verified against known-good hashes, npm provenance, or GitHub releases? Describe outcome.] **Permissions analysis:** - Requested tools: [list] - Minimum necessary tools: [list] - Over-permissioned: [Yes / No — explain if Yes] **Supply chain risk summary:** [1–3 sentences on overall supply chain health] --- ## Recommendations Prioritized by risk. Address Critical and High items before merge/deploy. | Priority | Finding ID(s) | Action | Effort | |----------|---------------|--------|--------| | 1 | SCN-001 | [Actionable step] | [Low / Medium / High] | | 2 | SCN-002 | [Actionable step] | [Low / Medium / High] | | 3 | SCN-003, SCN-004 | [Actionable step] | [Low / Medium / High] | **Quick wins (< 5 min):** [List any findings that can be fixed in under 5 minutes — e.g. removing a hardcoded token, adding a `.gitignore` entry] --- ## Footer | Field | Value | |-------|-------| | llm-security version | [e.g. 0.1.0] | | Scan engine | llm-security skill-scanner-agent / mcp-scanner-agent | | Scan duration | [e.g. 4.2 s] | | OWASP references | LLM Top 10 2025, Agentic AI Top 10 | | Report generated | [ISO 8601 timestamp] | ---