# security-scan-local > Run security scans locally (Semgrep, Trivy, Gitleaks) to detect vulnerabilities, secrets, and code issues before pushing. Use when the user wants to check for security issues, scan dependencies, or validate code security. - Author: grub-404 - Repository: gar-ai/mallorn - Version: 20251229215034 - Stars: 1 - Forks: 0 - Last Updated: 2026-02-06 - Source: https://github.com/gar-ai/mallorn - Web: https://mule.run/skillshub/@@gar-ai/mallorn~security-scan-local:20251229215034 --- --- name: security-scan-local description: Run security scans locally (Semgrep, Trivy, Gitleaks) to detect vulnerabilities, secrets, and code issues before pushing. Use when the user wants to check for security issues, scan dependencies, or validate code security. --- # Security Scan Local Runs the same security scans locally that execute in CI/CD, allowing developers to catch security issues before pushing code. This skill orchestrates three industry-standard security tools: - **Semgrep**: Static code analysis for security vulnerabilities and OWASP Top 10 - **Trivy**: Dependency vulnerability scanning and IaC misconfiguration detection - **Gitleaks**: Secret detection in code and git history ## Available Scripts ### check.py Checks if required security tools are installed and provides installation instructions. ```bash python3 check.py ``` **When to use**: Before running scans for the first time, or to verify tool installation. ### run.py Runs all three security scans with the same configuration as CI/CD. ```bash python3 run.py # Run all scans python3 run.py --tool semgrep # Run specific tool python3 run.py --tool trivy # Run Trivy only python3 run.py --tool gitleaks # Run Gitleaks only python3 run.py --fast # Skip Trivy IaC scan for speed ``` **Exit codes**: - `0`: All scans passed (no issues found) - `1`: Security issues found (matches CI behavior) - `2`: Tool not installed or error **When to use**: Before committing/pushing code to catch security issues early. ### semgrep.py Runs Semgrep code security analysis with OWASP Top 10 and language-specific rulesets. ```bash python3 semgrep.py # Standard scan python3 semgrep.py --path ./src # Scan specific directory python3 semgrep.py --all # Include all severity levels ``` **Scans for**: - SQL injection, XSS, command injection - Insecure deserialization - Authentication/authorization flaws - Language-specific vulnerabilities (Rust, Python, TypeScript) **When to use**: Quick code security check, or when working on authentication/data handling code. ### trivy.py Runs Trivy dependency and infrastructure-as-code scanning. ```bash python3 trivy.py # Scan dependencies + IaC python3 trivy.py --deps-only # Dependencies only (faster) python3 trivy.py --iac-only # IaC only python3 trivy.py --path ./service # Scan specific path ``` **Scans for**: - Vulnerable dependencies (npm, pip, cargo packages) - Terraform misconfigurations - Kubernetes security issues - Dockerfile best practice violations **When to use**: After updating dependencies, or when modifying infrastructure code. ### gitleaks.py Runs Gitleaks secret detection across code and git history. ```bash python3 gitleaks.py # Full scan including history python3 gitleaks.py --staged # Staged files only (pre-commit) python3 gitleaks.py --uncommitted # Uncommitted changes only ``` **Detects**: - API keys, tokens, passwords - AWS credentials, private keys - Database connection strings - Any hardcoded secrets **When to use**: Before committing, especially when working with credentials or environment files. ## Workflow Examples **User says: "Run security scans"** ```bash python3 run.py ``` Runs all three tools with CI/CD configuration. **User says: "Check for secrets before committing"** ```bash python3 gitleaks.py --staged ``` Scans only staged files for secrets (fast pre-commit check). **User says: "Scan this service for vulnerabilities"** ```bash python3 trivy.py --path ./mercury-clustering ``` Scans a specific service directory. **User says: "Quick code security check"** ```bash python3 semgrep.py ``` Runs static analysis on all code. **User says: "Are the security tools installed?"** ```bash python3 check.py ``` Verifies tool installation and shows how to install missing tools. ## Installation The scripts will detect missing tools and provide installation commands. On macOS: ```bash brew install semgrep trivy gitleaks ``` On other platforms, see tool-specific installation guides. ## Notes - **Matches CI/CD**: Uses identical configuration to GitHub Actions workflows - **Severity levels**: Blocks on CRITICAL, HIGH, and MEDIUM (same as CI) - **Test exclusions**: Respects `.semgrepignore`, `.gitleaksignore`, `.trivyignore` - **Performance**: Full scan takes 5-6 minutes (same as CI); use `--fast` or tool-specific flags for quicker checks - **SARIF output**: Scripts can generate SARIF format for IDE integration (use `--sarif` flag)