--- name: "Next.js Security Scan" description: "Comprehensive security vulnerability scanner for Next.js and TypeScript/JavaScript projects. Detects OWASP Top 10 vulnerabilities, XSS, injection flaws, authentication issues, hardcoded secrets, and Next.js-specific security problems. Audits dependencies for known CVEs and generates actionable security reports." --- # Next.js Security Scan Skill This skill enables comprehensive security scanning of Next.js and TypeScript/JavaScript projects based on OWASP guidelines and industry best practices. ## When to Use This Skill - Security audits of Next.js applications - Code review for security vulnerabilities - Pre-deployment security checks - Dependency vulnerability assessment - Detecting hardcoded secrets and credentials ## Scan Types ### 1. Quick Scan Fast scan focusing on critical vulnerabilities: - Hardcoded secrets and API keys - Dangerous function usage (`dangerouslySetInnerHTML`, `eval`) - Missing authentication in Server Actions - Known vulnerable dependencies ### 2. Full Scan Comprehensive security assessment covering: - All OWASP Top 10:2025 categories - XSS vulnerability patterns - Injection vulnerabilities (SQL, NoSQL, Command) - Authentication and authorization flaws - Security misconfigurations - Cryptographic failures - Next.js-specific vulnerabilities - Dependency audit (CVE check) - Environment variable exposure ### 3. Targeted Scan Focus on specific vulnerability categories: - `--xss` - Cross-site scripting patterns - `--injection` - SQL/NoSQL/Command injection - `--auth` - Authentication/authorization issues - `--secrets` - Hardcoded credentials - `--deps` - Dependency vulnerabilities - `--nextjs` - Next.js specific issues ## Scan Procedure ### Step 1: Project Discovery 1. Identify project type (Next.js App Router, Pages Router, or plain React) 2. Locate configuration files (`next.config.js`, `package.json`, `.env*`) 3. Map the codebase structure ### Step 2: Dependency Audit Run the dependency audit script: ```bash ./scripts/dependency-audit.sh ``` Or manually: ```bash npm audit --json # or yarn audit --json ``` ### Step 3: Secret Scanning Scan for hardcoded secrets: ```bash python scripts/secret-scanner.py /path/to/project ``` **Important: Environment File Handling** - By default, real `.env` files are **SKIPPED** (`.env`, `.env.local`, `.env.production`, etc.) - These files contain actual secrets and should not be in version control - Only `.env.example` and `.env.template` files are analyzed for documentation quality - Use `--include-env-files` flag only if explicitly requested by user The scanner will: 1. Scan source code for hardcoded secrets 2. Analyze `.env.example` templates to check: - Which sensitive variables are documented - Whether variables have descriptions (comments) - If placeholder values look like real secrets - Suggestions for missing common variables ### Step 4: Pattern Analysis For each file in the codebase, check against patterns in: - `references/xss-patterns.md` - XSS vulnerabilities - `references/injection-patterns.md` - Injection flaws - `references/auth-vulnerabilities.md` - Auth issues - `references/nextjs-specific.md` - Next.js vulnerabilities ### Step 5: Report Generation Generate a security report using: - `assets/report-template.md` - Report structure ## Severity Classification | Severity | Description | Action Required | |----------|-------------|-----------------| | CRITICAL | Exploitable vulnerability with severe impact | Immediate fix required | | HIGH | Significant security risk | Fix before deployment | | MEDIUM | Potential security issue | Fix in next release | | LOW | Minor security concern | Consider fixing | | INFO | Security best practice suggestion | Optional improvement | ## Key Files to Scan ### Always Check - `**/*.ts`, `**/*.tsx`, `**/*.js`, `**/*.jsx` - Source code - `next.config.js`, `next.config.mjs` - Next.js configuration - `package.json`, `package-lock.json` - Dependencies - `middleware.ts`, `middleware.js` - Middleware security ### Environment Files - `.env.example`, `.env.template` - **SCAN** for template analysis - `.env`, `.env.local`, `.env.production` - **SKIP** by default (contain real secrets) **Note:** Real `.env` files should never be committed to version control. The scanner analyzes `.env.example` templates to ensure proper documentation of required variables. ### High Priority Locations - `app/api/**/*` - API routes (App Router) - `pages/api/**/*` - API routes (Pages Router) - `**/actions.ts`, `**/*-actions.ts` - Server Actions - `lib/auth*`, `utils/auth*` - Authentication code - `**/middleware.*` - Middleware files ## Output Format Findings should be reported as: ``` [SEVERITY] Category: Description File: path/to/file.ts:lineNumber Code: Risk: Fix: ``` ## Integration with CI/CD This skill can generate output compatible with: - GitHub Security Advisories - SARIF format for GitHub Code Scanning - JSON for custom integrations ## References Load additional context as needed: - `references/owasp-top-10.md` - OWASP Top 10:2025 quick reference - `references/xss-patterns.md` - XSS detection patterns - `references/injection-patterns.md` - Injection vulnerability patterns - `references/auth-vulnerabilities.md` - Authentication security patterns - `references/nextjs-specific.md` - Next.js specific vulnerabilities and CVEs