feat: add Security Vulnerability Scanner recipe (#5122)

[ARYPROGRAMMER]

Summary

Advanced security audit recipe that automatically scans codebases for vulnerabilities, checks dependencies for known CVEs, researches critical security issues via web search, and generates comprehensive security reports with actionable remediation guidance.

Key Features:

• 3 Extensions Used: Developer (code analysis), Brave Search MCP (CVE research), Memory (pattern tracking)
• 6 Customizable Parameters: scan_path, scan_depth, focus_areas, include_dependencies, output_format, severity_threshold
• OWASP Top 10 Coverage: SQL injection, XSS, CSRF, authentication issues, cryptography weaknesses, secrets exposure
• Dependency Scanning: Integrates npm audit, cargo audit, pip-audit, gosec for vulnerability detection
• 4 Output Formats: Markdown, JSON, HTML, plain text reports
• Severity Filtering: Critical, High, Medium, Low, Info levels
• Intelligent Web Search: Uses Brave Search MCP for critical CVE lookups only (avoids rate limits)
• Pattern Memory: Tracks security requirements and remediation status across scans
• Guaranteed File Output: Triple-enforced report file creation at ./security-report.{format}
• Actionable Remediation: Provides specific fixes with before/after code examples
• 6-Phase Workflow: Discovery → Analysis → Dependencies → Config → Report → Recommendations

Type of Change

• Feature
• Bug fix
• Refactor / Code quality
• Performance improvement
• Documentation
• Tests
• Security fix
• Build / Release
• Other

Testing

Setup Required:

# Get free Brave Search API key from https://brave.com/search/api/ (2,000 queries/month free)
export BRAVE_API_KEY="your-api-key-here"

ref: https://block.github.io/goose/docs/mcp/brave-mcp

Primary Test:

goose run --recipe documentation/src/pages/recipes/data/recipes/security-vulnerability-scanner.yaml --params scan_path=./crates/goose-server/src --params scan_depth=standard --params include_dependencies=true --params output_format=markdown

Additional Test:

# Quick secrets scan (minimal web search)
goose run --recipe documentation/src/pages/recipes/data/recipes/security-vulnerability-scanner.yaml --params scan_path=. --params scan_depth=quick --params focus_areas=secrets --params output_format=markdown

# Comprehensive audit with all features
goose run --recipe documentation/src/pages/recipes/data/recipes/security-vulnerability-scanner.yaml --params scan_path=. --params scan_depth=thorough --params focus_areas=all --params output_format=html

# High severity only JSON report
goose run --recipe documentation/src/pages/recipes/data/recipes/security-vulnerability-scanner.yaml --params severity_threshold=high --params output_format=json

Expected Output:

• ✅ Security report file created at ./security-report.{format}
• ✅ Comprehensive OWASP Top 10 vulnerability findings
• ✅ Dependency CVE analysis with remediation steps
• ✅ Actionable fixes with code examples
• ✅ Executive summary with severity breakdown

Related Issues

Fixes #5122

Email: notaryasingh@gmail.com

[github-actions]

✅ Recipe Validation Passed

Your recipe(s) are valid and ready for review!

🔍 Next Steps:

1. Our team will review your recipe
2. If approved, we'll run a security scan
3. Once merged, you'll receive $10 in OpenRouter credits (if email provided)

Thanks for contributing to the goose Recipe Cookbook! 🎉

[github-actions]

✅ Recipe Validation Passed

Your recipe(s) are valid and ready for review!

🔍 Next Steps:

1. Our team will review your recipe
2. If approved, we'll run a security scan
3. Once merged, you'll receive $10 in OpenRouter credits (if email provided)

Thanks for contributing to the goose Recipe Cookbook! 🎉

[github-actions]

🔍 Recipe Security Scan Results

❌ Status: BLOCKED - One or more recipes have MEDIUM risk or higher

⚠️ Merge Protection: This PR cannot be merged until security concerns are addressed.
Repository maintainers can override this decision if needed.

📊 Scan Summary:

• Total recipes scanned: 1
• Blocked recipes: 1

📋 Individual Recipe Results:
✅ Recipe 1: APPROVED (MEDIUM risk)

🔗 View detailed scan results in the workflow artifacts.

[ARYPROGRAMMER]

can the maintainers check once for the security vulnerabilities this has. thanks

[iandouglas]

This recipe is quite similar to https://block.github.io/goose/recipes/detail?id=code-review-mentor ... but this recipe focuses solely on security

[iandouglas]

the 'medium' security analysis was set by these notes that goose summarized:

---

The recipe provides a thorough guide for setting up a security
vulnerability scanner. It suggests checking for OWASP Top 10
vulnerabilities, analyzing dependencies for known CVEs, and
generating comprehensive reports. No execution of downloaded
scripts is involved; all processes are focused on analysis and
reporting, mitigating immediate safety concerns.

Initial Security Concerns & Risks

• URL References: Presence of web search capabilities suggests some interaction with external resources; need to ensure these are properly secured.
• Environment Variable Usage: There is environment variable usage (BRAVE_API_KEY), which needs to be securely handled to avoid leaks.
• Potential for Overreach: Describes a thorough scan capability which might exceed intended analysis bounds, e.g., checking unrelated configurations or code.
• Focus on Critical Details: Instructions on using web search sparingly signal prudent handling but also a possible gap in offline resource validation.

[ARYPROGRAMMER]

let me see if it can be improved. i had these 2-3 ideas for quite a long time now. thanks for quick response

This recipe is quite similar to https://block.github.io/goose/recipes/detail?id=code-review-mentor ... but this recipe focuses solely on security

[iandouglas]

overall I'm okay with this kind of recipe, although I think businesses are more likely to rely on other open-source tools that are far more thorough and consistent in the report generation details etc than relying on AI given how expensive it would be to use the tokens to scan a codebase, do web-based research, maybe scan against the OpenSSF/OSSF vulnerabilities database, etc etc..

I think this is still a good addition to the cookbook, but I left a lot of comments in here on things that should be cleaned up and reviewed for duplication, and swap the prompt/instruction headings again per my other PR review for your other documentation recipe.

[iandouglas]

per my review on your other PR, assigning a "role" is typically done in the prompt where you give these summarized goals of what to accomplish, and the instructions give the highly-detailed steps to follow. Let's switch those here as well please.

[iandouglas]

I wonder if the LLMs will be trained enough to know which recent CVEs to look for BEFORE this research can be done though? Most LLMs were trained a "long time ago", relatively speaking. I found this problem with the recipe scanner tool I built ... I had to start telling it the kinds of things to look for because just telling goose "you're an expert" is only as good as how fresh its LLM is. I also had to provide extra training content etc to help it along.

[iandouglas]

another reference you could tell goose to check is the OpenSSF vulnerabilities repo, check my recipe scanner recipe for details, lines 51-52 and 86-90:

https://github.com/block/goose/blob/main/recipe-scanner/base_recipe.yaml

[iandouglas]

If the intent here is to scan previous reports it's generated on previous runs, then I would put those into a folder and date-stamp them like "security-report-2025-10-10.md" and then be more explicit on this line about where to find those previous reports

[iandouglas]

from the memory extension?

[iandouglas]

I would not store these in a memory:

a. they could be quite large, and that's important, because:
b. every memory is sent to the LLM on every future request by the user, even if they're doing something unrelated

so storing them in memory is going to use huge amounts of tokens to send alllll of these memories to the LLM every time the user is doing anything with goose.

[iandouglas]

what should the structure look like for the dependencies here?

[iandouglas]

some of these things are repeated in the instructions, about how to store it in a file or memory (which I do not recommend) ... we need to de-duplicate this so we're only telling the LLM one time what to store and where to store it.

[iandouglas]

per another comment I left, i'd put these in a separate folder with date stamps if you want the LLM to review these over time

however, given that these files could end up quite large (tens of thousands of kilobytes?), scanning several of these files could use up the user's context window, or not even have enough context window to scan a single report. any thoughts on this?

[iandouglas]

for consistency here:

• you're being very detailed about how to write markdown
• you describe some amount of detail for json
• very little about HTML other than high level sections
• plaintext doesn't describe sections at all

given that the LLM will get the instructions based on the if/else structure here, I think you should be more consistent here about the sections of the report, and then get into the if/else to give it specific instructions for each format

maybe something like

{% if output_format != "json" %}
  create a report with the following details:
      - Executive summary with severity tables or charts as appropriate
      - Expandable details for each finding
      - Code snippets highlighting vulnerable lines
      - Copy-paste remediation code

  {% if output_format == "html" %}
    - include Color-coded vulnerability listings
    - other HTML-specific details
  {% elif output_format == "markdown" %}
    - how to draw the markdown table etc
    - ... you get the idea here
   {% endif %}

  {% else %}
    describe your json format here
  {% endif %}

[ARYPROGRAMMER]

this one requires a bit more work. sure let me see

[github-actions]

✅ Recipe Validation Passed

Your recipe(s) are valid and ready for review!

🔍 Next Steps:

1. Our team will review your recipe
2. If approved, we'll run a security scan
3. Once merged, you'll receive $10 in OpenRouter credits (if email provided)

Thanks for contributing to the goose Recipe Cookbook! 🎉

[github-actions]

🔍 Recipe Security Scan Results

✅ Status: APPROVED - All recipes passed security scan

📊 Scan Summary:

• Total recipes scanned: 1

📋 Individual Recipe Results:
✅ Recipe 1: APPROVED (LOW risk)

🔗 View detailed scan results in the workflow artifacts.

[ARYPROGRAMMER]

this is should be good now, cool. let me know

[taniandjerry]

You can add your recipe contribution from this PR to #5125 to be counted as a large contribution with the changes Ian requested. As mentioned in that PR, remove the memory extension as well.