pluginagentmarketplace/custom-plugin-qa
Overview
This skill provides production-grade security testing for web applications, services, containers, and codebases. It combines OWASP Top 10 coverage, automated vulnerability scanning (SAST/DAST/dependency/secrets), and compliance validation with actionable remediation guidance. Designed for integration into CI/CD pipelines and security programs, it produces structured findings and compliance status for prioritized remediation.
How this skill works
The skill accepts an action (scan, analyze, remediate, compliance_check, generate_report) and a scan_type (owasp_top10, dependency, sast, dast, secrets, configuration) with an explicit target (URL, repository, file path, or docker image). It runs the appropriate detection methods—fuzzing, SAST rules, dependency CVE checks, secret scanning, TLS analysis—and returns a structured result containing vulnerability details, severity summary, compliance_status, and recommendations. Built-in parameter validation, retry strategies, and error categories handle transient failures and authorization requirements.
When to use it
- Before releasing a web application to production to catch OWASP Top 10 issues.
- As part of CI/CD to detect SAST and dependency vulnerabilities early.
- When performing penetration testing preparation or guided manual testing.
- To validate compliance controls for PCI DSS, GDPR, SOC 2, HIPAA, or ISO 27001.
- For scheduled security reviews of containers and configuration baselines.
Best practices
- Obtain written authorization and define scope before scanning any external target.
- Start with passive scans and use authenticated scans to improve coverage.
- Prioritize remediation by risk score: fix critical and high issues first and retest.
- Integrate scans into CI/CD and automate dependency updates and secret rotation.
- Tune scan sensitivity and combine automated results with manual verification to reduce false positives.
Example use cases
- Run an OWASP Top 10 web scan against a staging URL and generate a remediation report for developers.
- Add dependency scanning to the CI pipeline to block builds with high-severity CVEs.
- Perform a secrets scan on a repository before a public release to prevent credential leaks.
- Run a compliance_check for PCI DSS mapping and produce a pass/partial/fail compliance_status.
- Use configuration scans on container images to detect insecure defaults and missing security headers.
FAQ
Explicit written consent is required; the skill enforces authorization checks and will reject scans without proper scope and consent.
How does the skill handle false positives?
Tune scan sensitivity, add exclusions for known false positives, use authenticated scanning, and validate findings with manual testing or secondary tools.