Security Engineer - Guía de Entorno

Esta guía detalla las herramientas necesarias para que Claude Code pueda ayudarte eficazmente en seguridad de aplicaciones e infraestructura.

Resumen de Capacidades

Capacidad	Herramientas Requeridas
SAST (Static Analysis)	Semgrep, SonarQube, CodeQL
DAST (Dynamic Analysis)	OWASP ZAP, Burp Suite
Dependency Scanning	Trivy, Snyk, npm audit
Container Security	Trivy, Grype, Docker Scout
Secrets Detection	Gitleaks, TruffleHog
Infrastructure Security	tfsec, Checkov, Prowler

---

Static Analysis (SAST)

Semgrep (Recomendado)

# Instalar
pip install semgrep
# o
brew install semgrep

# Escanear proyecto
semgrep scan

# Con reglas específicas
semgrep --config=auto .
semgrep --config=p/security-audit .
semgrep --config=p/owasp-top-ten .

# CI/CD
semgrep ci

# Output JSON para integración
semgrep --json --output=results.json .

SonarQube/SonarCloud

# Scanner CLI
# Windows
winget install SonarSource.SonarScanner

# macOS
brew install sonar-scanner

# Ejecutar
sonar-scanner \
  -Dsonar.projectKey=myproject \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.token=mytoken

# Docker (servidor local)
docker run -d --name sonarqube -p 9000:9000 sonarqube:community

CodeQL (GitHub)

# Instalar
gh extension install github/gh-codeql

# Crear database
codeql database create ./codeql-db --language=javascript

# Analizar
codeql database analyze ./codeql-db --format=sarif-latest --output=results.sarif

# En GitHub Actions
# uses: github/codeql-action/analyze@v2

---

Dependency Scanning

Trivy (Recomendado - Todo en uno)

# Instalar
# Windows
winget install aquasecurity.trivy

# macOS
brew install trivy

# Linux
sudo apt install trivy

# Escanear filesystem (dependencias)
trivy fs .

# Escanear imagen Docker
trivy image myapp:latest

# Escanear IaC (Terraform, etc.)
trivy config .

# Escanear repositorio
trivy repo https://github.com/user/repo

# Formatos de salida
trivy fs --format json --output results.json .
trivy fs --format sarif --output results.sarif .

# Severidades
trivy fs --severity HIGH,CRITICAL .

# Ignorar vulnerabilidades
# Crear .trivyignore

Snyk

# Instalar
npm install -g snyk

# Autenticar
snyk auth

# Escanear dependencias
snyk test

# Escanear container
snyk container test myapp:latest

# Escanear IaC
snyk iac test

# Monitorear (CI/CD)
snyk monitor

npm/pnpm audit

# npm
npm audit
npm audit fix
npm audit --json

# pnpm
pnpm audit
pnpm audit --fix

pip-audit (Python)

pip install pip-audit

pip-audit
pip-audit --fix
pip-audit --format json

---

Container Security

Docker Scout

# Incluido en Docker Desktop

# Escanear imagen
docker scout cves myapp:latest

# Recomendaciones
docker scout recommendations myapp:latest

# Comparar imágenes
docker scout compare myapp:v1 myapp:v2

Grype

# Instalar
brew install grype  # macOS
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# Escanear imagen
grype myapp:latest

# Escanear directorio
grype dir:.

# Output SARIF
grype myapp:latest -o sarif > results.sarif

---

Secrets Detection

Gitleaks

# Instalar
brew install gitleaks  # macOS
winget install Gitleaks.Gitleaks  # Windows

# Escanear repositorio
gitleaks detect

# Escanear directorio
gitleaks detect --source .

# En pre-commit hook
gitleaks protect --staged

# Generar baseline
gitleaks detect --baseline-path .gitleaks-baseline.json

TruffleHog

# Instalar
pip install trufflehog
# o
brew install trufflehog

# Escanear Git history
trufflehog git file://. --only-verified

# Escanear GitHub
trufflehog github --org=myorg

# Escanear filesystem
trufflehog filesystem .

detect-secrets (Yelp)

pip install detect-secrets

# Crear baseline
detect-secrets scan > .secrets.baseline

# Auditar
detect-secrets audit .secrets.baseline

# Pre-commit
detect-secrets-hook --baseline .secrets.baseline

---

Infrastructure Security

tfsec (Terraform)

# Instalar
brew install tfsec  # macOS
winget install aquasecurity.tfsec  # Windows

# Escanear
tfsec .

# Con severidad mínima
tfsec --minimum-severity HIGH

# Excluir reglas
tfsec --exclude-rule aws-s3-enable-bucket-encryption

Checkov

# Instalar
pip install checkov

# Escanear Terraform
checkov -d .

# Escanear Kubernetes
checkov -f deployment.yaml

# Escanear Dockerfile
checkov --dockerfile-path Dockerfile

# Frameworks soportados: Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, etc.

Prowler (AWS)

# Instalar
pip install prowler

# Escanear AWS
prowler aws

# Regiones específicas
prowler aws --region us-east-1

# Compliance
prowler aws --compliance cis_level1_aws

---

DAST (Dynamic Analysis)

OWASP ZAP

# Docker
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://example.com

# Full scan
docker run -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com

# API scan
docker run -t owasp/zap2docker-stable zap-api-scan.py -t https://api.example.com/openapi.json -f openapi

Nuclei

# Instalar
brew install nuclei  # macOS
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Actualizar templates
nuclei -update-templates

# Escanear
nuclei -u https://example.com

# Templates específicos
nuclei -u https://example.com -t cves/
nuclei -u https://example.com -tags owasp-top-10

---

Pre-commit Hooks

.pre-commit-config.yaml:

repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

  - repo: https://github.com/aquasecurity/tfsec
    rev: v1.28.0
    hooks:
      - id: tfsec

  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.86.0
    hooks:
      - id: terraform_checkov

  - repo: https://github.com/semgrep/semgrep
    rev: v1.52.0
    hooks:
      - id: semgrep

# Instalar pre-commit
pip install pre-commit

# Instalar hooks
pre-commit install

# Ejecutar manualmente
pre-commit run --all-files

---

CI/CD Integration (GitHub Actions)

# .github/workflows/security.yml
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Secrets detection
      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2

      # Dependency scanning
      - name: Trivy FS scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          severity: 'HIGH,CRITICAL'

      # SAST
      - name: Semgrep
        uses: returntocorp/semgrep-action@v1

      # Container scanning
      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Trivy image scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'myapp:${{ github.sha }}'
          severity: 'HIGH,CRITICAL'

---

Comandos que Claude Code Ejecutará

# SAST
semgrep scan
semgrep --config=p/security-audit .

# Dependencias
trivy fs .
npm audit
pip-audit
snyk test

# Containers
trivy image myapp:latest
docker scout cves myapp:latest
grype myapp:latest

# Secrets
gitleaks detect
trufflehog git file://.

# IaC
tfsec .
checkov -d .

# DAST
nuclei -u https://example.com

---

Verificación del Entorno

#!/bin/bash
echo "=== Verificación Entorno Security ==="

echo -e "\n--- SAST ---"
semgrep --version 2>/dev/null || echo "Semgrep no instalado"

echo -e "\n--- Dependency Scanning ---"
trivy --version 2>/dev/null || echo "Trivy no instalado"
snyk --version 2>/dev/null || echo "Snyk no instalado"

echo -e "\n--- Secrets ---"
gitleaks version 2>/dev/null || echo "Gitleaks no instalado"
trufflehog --version 2>/dev/null || echo "TruffleHog no instalado"

echo -e "\n--- IaC ---"
tfsec --version 2>/dev/null || echo "tfsec no instalado"
checkov --version 2>/dev/null || echo "Checkov no instalado"

echo -e "\n=== Verificación Completa ==="

---

Recursos

• OWASP Top 10
• Semgrep Rules
• Trivy Documentation
• CIS Benchmarks
• NIST Cybersecurity Framework