Claude
Skills
Sign in
Back

Next.js Security Scan

Included with Lifetime
$97 forever

Comprehensive security vulnerability scanner for Next.js and TypeScript/JavaScript projects. Detects OWASP Top 10 vulnerabilities, XSS, injection flaws, authentication issues, hardcoded secrets, and Next.js-specific security problems. Audits dependencies for known CVEs and generates actionable security reports.

Web Devscriptsassets

What this skill does


# Next.js Security Scan Skill

This skill enables comprehensive security scanning of Next.js and TypeScript/JavaScript projects based on OWASP guidelines and industry best practices.

## When to Use This Skill

- Security audits of Next.js applications
- Code review for security vulnerabilities
- Pre-deployment security checks
- Dependency vulnerability assessment
- Detecting hardcoded secrets and credentials

## Scan Types

### 1. Quick Scan
Fast scan focusing on critical vulnerabilities:
- Hardcoded secrets and API keys
- Dangerous function usage (`dangerouslySetInnerHTML`, `eval`)
- Missing authentication in Server Actions
- Known vulnerable dependencies

### 2. Full Scan
Comprehensive security assessment covering:
- All OWASP Top 10:2025 categories
- XSS vulnerability patterns
- Injection vulnerabilities (SQL, NoSQL, Command)
- Authentication and authorization flaws
- Security misconfigurations
- Cryptographic failures
- Next.js-specific vulnerabilities
- Dependency audit (CVE check)
- Environment variable exposure

### 3. Targeted Scan
Focus on specific vulnerability categories:
- `--xss` - Cross-site scripting patterns
- `--injection` - SQL/NoSQL/Command injection
- `--auth` - Authentication/authorization issues
- `--secrets` - Hardcoded credentials
- `--deps` - Dependency vulnerabilities
- `--nextjs` - Next.js specific issues

## Scan Procedure

### Step 1: Project Discovery
1. Identify project type (Next.js App Router, Pages Router, or plain React)
2. Locate configuration files (`next.config.js`, `package.json`, `.env*`)
3. Map the codebase structure

### Step 2: Dependency Audit
Run the dependency audit script:
```bash
./scripts/dependency-audit.sh
```
Or manually:
```bash
npm audit --json
# or
yarn audit --json
```

### Step 3: Secret Scanning
Scan for hardcoded secrets:
```bash
python scripts/secret-scanner.py /path/to/project
```

**Important: Environment File Handling**
- By default, real `.env` files are **SKIPPED** (`.env`, `.env.local`, `.env.production`, etc.)
- These files contain actual secrets and should not be in version control
- Only `.env.example` and `.env.template` files are analyzed for documentation quality
- Use `--include-env-files` flag only if explicitly requested by user

The scanner will:
1. Scan source code for hardcoded secrets
2. Analyze `.env.example` templates to check:
   - Which sensitive variables are documented
   - Whether variables have descriptions (comments)
   - If placeholder values look like real secrets
   - Suggestions for missing common variables

### Step 4: Pattern Analysis
For each file in the codebase, check against patterns in:
- `references/xss-patterns.md` - XSS vulnerabilities
- `references/injection-patterns.md` - Injection flaws
- `references/auth-vulnerabilities.md` - Auth issues
- `references/nextjs-specific.md` - Next.js vulnerabilities

### Step 5: Report Generation
Generate a security report using:
- `assets/report-template.md` - Report structure

## Severity Classification

| Severity | Description | Action Required |
|----------|-------------|-----------------|
| CRITICAL | Exploitable vulnerability with severe impact | Immediate fix required |
| HIGH | Significant security risk | Fix before deployment |
| MEDIUM | Potential security issue | Fix in next release |
| LOW | Minor security concern | Consider fixing |
| INFO | Security best practice suggestion | Optional improvement |

## Key Files to Scan

### Always Check
- `**/*.ts`, `**/*.tsx`, `**/*.js`, `**/*.jsx` - Source code
- `next.config.js`, `next.config.mjs` - Next.js configuration
- `package.json`, `package-lock.json` - Dependencies
- `middleware.ts`, `middleware.js` - Middleware security

### Environment Files
- `.env.example`, `.env.template` - **SCAN** for template analysis
- `.env`, `.env.local`, `.env.production` - **SKIP** by default (contain real secrets)

**Note:** Real `.env` files should never be committed to version control. The scanner analyzes `.env.example` templates to ensure proper documentation of required variables.

### High Priority Locations
- `app/api/**/*` - API routes (App Router)
- `pages/api/**/*` - API routes (Pages Router)
- `**/actions.ts`, `**/*-actions.ts` - Server Actions
- `lib/auth*`, `utils/auth*` - Authentication code
- `**/middleware.*` - Middleware files

## Output Format

Findings should be reported as:

```
[SEVERITY] Category: Description
  File: path/to/file.ts:lineNumber
  Code: <relevant code snippet>
  Risk: <explanation of the security risk>
  Fix: <recommended remediation>
```

## Integration with CI/CD

This skill can generate output compatible with:
- GitHub Security Advisories
- SARIF format for GitHub Code Scanning
- JSON for custom integrations

## References

Load additional context as needed:
- `references/owasp-top-10.md` - OWASP Top 10:2025 quick reference
- `references/xss-patterns.md` - XSS detection patterns
- `references/injection-patterns.md` - Injection vulnerability patterns
- `references/auth-vulnerabilities.md` - Authentication security patterns
- `references/nextjs-specific.md` - Next.js specific vulnerabilities and CVEs
Files: 10
Size: 82.7 KB
Complexity: 77/100
Category: Web Dev
Source: https://github.com/sugarforever/01coder-agent-skills/tree/main/skills/nextjs-security-scan

Related in Web Dev

generating-lwc-components

Included

Lightning Web Components with PICKLES methodology and 165-point scoring. Use this skill when the user creates or edits LWC components, builds wire service patterns, or writes Jest tests for LWC. TRIGGER when: user creates/edits LWC components, touches lwc/**/*.js, .html, .css, .js-meta.xml files, or asks about wire service, SLDS, or Jest LWC tests. DO NOT TRIGGER when: Apex classes (use generating-apex), Aura components, or Visualforce.

Web Devscripts

tanstack-query

Included

Manage server state in React with TanStack Query v5. Set up queries with useQuery, mutations with useMutation, configure QueryClient caching strategies, implement optimistic updates, and handle infinite scroll with useInfiniteQuery. Use when: setting up data fetching in React projects, migrating from v4 to v5, or fixing object syntax required errors, query callbacks removed issues, cacheTime renamed to gcTime, isPending vs isLoading confusion, keepPreviousData removed problems.

Web Devscripts

document-processor-api

Included

Process documents with Nutrient DWS. Use when the user wants to generate PDFs from HTML or URLs, convert Office/images/PDFs, assemble or split packets, OCR scans, extract text/tables/key-value pairs, redact PII, watermark, sign, fill forms, optimize PDFs, or produce compliance outputs like PDF/A or PDF/UA. Triggers include convert to PDF, merge these PDFs, OCR this scan, extract tables, redact PII, sign this PDF, make this PDF/A, or linearize for web delivery.

Web Devscripts

nutrient-document-processing

Included

Process documents with Nutrient DWS. Use when the user wants to generate PDFs from HTML or URLs, convert Office/images/PDFs, assemble or split packets, OCR scans, extract text/tables/key-value pairs, redact PII, watermark, sign, fill forms, optimize PDFs, or produce compliance outputs like PDF/A or PDF/UA. Triggers include convert to PDF, merge these PDFs, OCR this scan, extract tables, redact PII, sign this PDF, make this PDF/A, or linearize for web delivery.

Web Devscripts

tanstack-query

Included

Manage server state in React with TanStack Query v5. Covers useMutationState, simplified optimistic updates, throwOnError, network mode (offline/PWA), and infiniteQueryOptions. Use when setting up data fetching, fixing v4→v5 migration errors (object syntax, gcTime, isPending, keepPreviousData), or debugging SSR/hydration issues with streaming server components.

Web Devscripts

accelint-nextjs-best-practices

Included

Next.js performance optimization and best practices. Use when writing Next.js code (App Router or Pages Router); implementing Server Components, Server Actions, or API routes; optimizing RSC serialization, data fetching, or server-side rendering; reviewing Next.js code for performance issues; fixing authentication in Server Actions; or implementing Suspense boundaries, parallel data fetching, or request deduplication.

Web Devscripts
Sign up & unlock — $97