Overview
Security vulnerabilities often slip through code reviews—incorrect API usage, hardcoded credentials, or insecure patterns can lurk undetected for months. This automation scans your codebase daily to catch these issues before they become breaches.
What it does:
- Scans your codebase on a schedule (daily, weekly, or monthly)
- Identifies common vulnerabilities (SQL injection, XSS, auth flaws, hardcoded secrets)
- Creates Linear tickets with severity ratings for each issue
- Optionally generates PRs with automated fixes
Quick Start
- Navigate to Automations in your Tembo dashboard
- Click Templates Library
- Install the “Security Vulnerability Scan” template
- Configure your repository and schedule
- Enable Linear and/or Slack integrations
How It Works
On each scheduled run, the automation:
- Clones the repository — Gets the latest code from your main branch
- Scans for vulnerabilities — Analyzes code patterns against known security issues
- Categorizes findings — Assigns severity levels (Critical, High, Medium, Low)
- Creates tickets — Opens Linear issues with details and remediation steps
- Generates fixes — Optionally creates PRs to fix identified issues
The scanner catches real issues like using jwt.decode() instead of jwt.verify()—a common mistake that bypasses signature verification entirely.
Configuration
Basic Setup
Trigger: Schedule (daily recommended)
Prompt Template:
Perform a security vulnerability scan on the codebase.
## Scan Categories
Check for these vulnerability types:
### Injection Flaws
- SQL injection (string concatenation in queries)
- Command injection (shell execution with user input)
- LDAP injection
- XPath injection
### Authentication Issues
- Hardcoded credentials or API keys
- Weak password requirements
- Missing rate limiting on auth endpoints
- JWT decode vs verify confusion
- Session fixation vulnerabilities
### Cross-Site Scripting (XSS)
- Unescaped user input in HTML output
- innerHTML with user data
- Missing Content-Security-Policy headers
### Sensitive Data Exposure
- Secrets in code or config files
- Sensitive data in logs
- Missing encryption for PII
- Exposed stack traces in production
### Security Misconfiguration
- Debug mode enabled
- Default credentials
- Unnecessary features enabled
- Missing security headers
## For Each Vulnerability Found
1. Identify the file and line number
2. Classify severity:
- Critical: Actively exploitable, data breach risk
- High: Exploitable with some effort
- Medium: Requires specific conditions
- Low: Minor issue or defense-in-depth
3. Create a Linear ticket with:
- Title: [Severity] [Vulnerability Type] in [file]
- Description: What's wrong and how to exploit it
- Remediation: Step-by-step fix instructions
- Label: "security", severity level
4. If auto-fix is enabled:
- Generate a fix for the vulnerability
- Create a PR with the fix
- Link the PR to the Linear ticket
Vulnerability Examples
JWT Decode vs Verify
The Issue:
// VULNERABLE: decode() doesn't verify the signature
const payload = jwt.decode(token);
// SECURE: verify() checks the signature
const payload = jwt.verify(token, process.env.JWT_SECRET);
SQL Injection
The Issue:
// VULNERABLE: String concatenation allows injection
const query = `SELECT * FROM users WHERE id = '${userId}'`;
// SECURE: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
Hardcoded Secrets
The Issue:
// VULNERABLE: Secret in source code
const apiKey = 'sk-live-abc123xyz789';
// SECURE: Environment variable
const apiKey = process.env.API_KEY;
XSS via innerHTML
The Issue:
// VULNERABLE: User input directly in HTML
element.innerHTML = userComment;
// SECURE: Use textContent or sanitize
element.textContent = userComment;
// Or use DOMPurify for rich content
element.innerHTML = DOMPurify.sanitize(userComment);
Customization Options
Severity-Based Routing
Route findings based on severity:
For Critical vulnerabilities:
- Create Linear ticket with Urgent priority
- Post to #security-alerts immediately
- Tag the security team lead
- Generate fix PR automatically
For High vulnerabilities:
- Create Linear ticket with High priority
- Include in daily security digest
For Medium/Low vulnerabilities:
- Create Linear tickets
- Include in weekly security report
Focus Areas
Customize what the scanner looks for:
API-Focused Scan:
Focus on API security:
- Authentication bypass opportunities
- Authorization flaws (IDOR, broken access control)
- Rate limiting gaps
- Input validation on all endpoints
- Proper error handling (no stack traces)
Focus on client-side security:
- XSS vulnerabilities
- CSRF protection
- Sensitive data in localStorage/cookies
- Third-party script security
- Content Security Policy headers
Check third-party dependencies:
- Known vulnerabilities in packages (CVEs)
- Outdated packages with security patches
- Unnecessary dependencies that increase attack surface
- License compliance issues
Exclude False Positives
Reduce noise from known safe patterns:
Ignore these patterns:
- Test files (*.test.js, *.spec.ts)
- Mock data with fake credentials
- Documentation examples
- Intentionally vulnerable code in /security-training/
Known false positives to skip:
- The API key in config.example.js is a placeholder
- The hardcoded password in seed.js is for local dev only
Example Linear Ticket
Auto-generated tickets include:
- Title:
[High] JWT Signature Bypass in auth/verify.js
- Location: File path, line number, function name
- Summary: What’s wrong and why it’s exploitable
- Impact: Severity level and exploitability rating
- Remediation: Step-by-step fix with code examples
- References: Links to OWASP and CWE documentation
Tips for Better Results
- Start with high-severity only — Focus on Critical/High issues first, then expand to Medium once those are addressed
- Provide codebase context — Document your security model (auth method, ORM, encryption) so the scanner avoids false positives
- Schedule smart — Daily for finance/healthcare apps, weekly for most production apps, on-PR for critical paths
- Track remediation — Monitor new vs fixed vulnerabilities and average time to remediation
