security-scanning-security-hardening

Multi-Layer Security Scanning and Hardening

Skill Overview

Using a deep defense-in-depth strategy coordinated by multiple agents, this enables comprehensive security scanning and hardening across applications, infrastructure, and compliance controls.

Use Cases

1. Comprehensive Security Hardening Plan

When you need to establish a defense-in-depth system, this skill coordinates multiple specialized agents to perform SAST/DAST code scanning, dependency audits, secret detection, and threat modeling—building a complete security protection layer from the application tier to the infrastructure tier.

2. DevSecOps Pipeline Integration

Seamlessly integrate security scanning into CI/CD pipelines to perform automatic security checks upon code commits. Support compliance framework validations such as OWASP ASVS, CIS benchmarks, and SOC2—making “security left-shift” possible.

3. Vulnerability Incident Response and Remediation

For critical vulnerabilities discovered by scanning (CVSS 7+), coordinate specialized security agents to quickly implement fixes, including defenses against common attack surfaces such as SQL injection, XSS, and authentication bypass. Also provide regression testing requirements.

Core Capabilities

1. Four-Phase Security Workflow

Run a complete security assessment process: Phase 1 establishes a baseline (vulnerability scanning, threat modeling, architecture review), Phase 2 remediates high-severity issues, Phase 3 implements security controls (authentication/authorization, infrastructure protection, key management), and Phase 4 verifies compliance and deploys security monitoring.

2. Multi-Dimensional Security Scanning

Integrate tools such as SAST (Semgrep/SonarQube), DAST (OWASP ZAP), dependency auditing (Snyk/Trivy), and secret detection (GitLeaks/TruffleHog). Generate a Software Bill of Materials (SBOM) and identify OWASP Top 10, CWE weaknesses, and exposed CVEs.

3. Implementing a Zero-Trust Architecture

Based on threat modeling results, design zero-trust security patterns, including hardening service boundaries, securing data flows, OAuth2/OIDC authentication, MFA multi-factor authentication, RBAC/ABAC access control, and infrastructure protections such as WAF, IDS/IPS, and network microsegmentation.

Common Questions

How long does security scanning take to complete?

Scan duration depends on the scanning_depth configuration and the size of the codebase. Quick scans can finish within 30 minutes, standard scans take about 1–2 hours, and comprehensive scans may take half a day or more. It’s recommended to start with the standard mode and adjust scanning depth based on results.

Can security hardening be performed in a production environment?

It is not recommended to apply security hardening directly in a production environment. Vulnerability fixes, configuration changes, and architecture adjustments included in this skill may affect business stability. First complete verification in a staging environment, define a rollback plan, obtain change approvals, and then deploy to production.

What is the difference between penetration testing and automated scanning?

Automated scanning uses tools to quickly identify known vulnerability patterns and is suitable for routine security checks. Penetration testing simulates real attacks by security experts to uncover business logic flaws and complex attack chains. The fourth phase of this skill performs penetration testing to validate the effectiveness of the security controls implemented in the first three phases.