f418a8fe08
Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.6 KiB
| name | description |
|---|---|
| security-scan | Scan files, directories, or repos for security issues — secrets, injection vulnerabilities, supply chain risks, OWASP LLM patterns |
Security Scan
Scan target for security issues. Accepts local paths or repository URLs.
Step 1: Resolve Target
- If
$ARGUMENTScontains--deep→ strip it, setrun_deep_scan = true - If
$ARGUMENTScontains--branch <name>→ strip it, setbranch = <name> - If
$ARGUMENTSis empty → target = current working directory - If
$ARGUMENTSstarts withhttps://→ clone the repo:
Setnode <plugin-root>/scanners/lib/git-clone.mjs clone "<url>" [--branch <branch>]clone_path= stdout (trimmed),target = clone_path - Otherwise →
target = $ARGUMENTS
IMPORTANT: Cleanup Guarantee (remote scans)
If clone_path is set, cleanup MUST run regardless of scan outcome:
node <plugin-root>/scanners/lib/git-clone.mjs cleanup "<clone_path>"
Step 1.5: Pre-extraction (remote scans only)
If remote, extract evidence safely before analysis:
node <plugin-root>/scanners/lib/fs-utils.mjs tmppath "content-extract.json"
node <plugin-root>/scanners/content-extractor.mjs "<target>" --output-file "<evidence_file>"
Step 2: Detect Scan Type
- Single .md file: skill scan only
- Directory: Glob for
**/commands/*.md,**/agents/*.md,**/skills/*/SKILL.md→ skill scan. Glob for**/.mcp.json,**/package.jsonwith mcpServers → MCP scan.
Step 3: Skill Security Analysis
Read <plugin-root>/knowledge/skill-threat-patterns.md and <plugin-root>/knowledge/secrets-patterns.md.
If remote (evidence package exists): Read the evidence JSON. Analyze sections: injection_findings, frontmatter_inventory, shell_commands, credential_references, persistence_signals, claude_md_analysis, cross_instruction_flags. [INJECTION-PATTERN-STRIPPED] markers are confirmed findings.
If local: Read target files directly. Apply 7 threat categories:
- Prompt Injection —
ignore previous,forget your, identity redefinition, spoofed system headers - Data Exfiltration — curl/wget to external URLs, base64 pipe chains, credential read+send
- Privilege Escalation — unjustified Bash access, Write+Bash without rationale, chmod/sudo
- Scope Creep — credential file access, crypto wallet paths, SSH keys, browser stores
- Hidden Instructions — Unicode Tag steganography, zero-width chars, base64 payloads, HTML comments
- Toolchain Manipulation — registry redirection, post-install scripts, external requirements
- Persistence — cron jobs, LaunchAgents, systemd, shell profile modification, git hooks
For each finding: severity (Critical/High/Medium/Low/Info), category, file, line, OWASP reference, evidence, remediation.
Step 4: MCP Security Analysis (if applicable)
Read <plugin-root>/knowledge/mcp-threat-patterns.md. Analyze MCP configs for: tool poisoning, hidden instructions in descriptions, rug pull signals, supply chain risks, permission surface.
Step 5: Aggregate and Report
Combine counts. risk_score = min(100, critical*25 + high*10 + medium*4 + low*1).
Verdict: critical>=1 OR score>=61 → BLOCK, high>=1 OR score>=21 → WARNING, else ALLOW.
Output banner then all findings grouped by severity (critical→info).
Step 6: Deep Scan (only if --deep)
If run_deep_scan = true:
node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --output-file "<tmp>"
Parse results, merge with LLM findings, show "Deep Scan Findings" section.
Step 7: Cleanup (only if remote)
Run cleanup commands from Step 1.