Security Scanner Plugin for Claude Code

Bring GitHub's security scanning directly into Claude Code. Scan for vulnerabilities, exposed secrets, and code security issues without leaving your IDE.

Features

• 🔍 Dependency Scanning: Check for vulnerable dependencies using GitHub Dependabot
• 🔒 Secret Detection: Find exposed API keys, tokens, and credentials
• 🛡️ Code Analysis: Review code security findings
• 🤖 AI-Powered: Get plain-English explanations of vulnerabilities and fix suggestions
• ⚡ Fast: Results in seconds without leaving Claude Code

Prerequisites

Required: GitHub MCP Server must be configured in Claude Code.

Setting up GitHub MCP Server

1. Install the GitHub MCP Server:

   npm install -g @modelcontextprotocol/server-github

2. Configure it in your Claude Code settings (~/.claude/settings.json):

   {
     "mcpServers": {
       "github": {
         "command": "npx",
         "args": ["-y", "@modelcontextprotocol/server-github"],
         "env": {
           "GITHUB_TOKEN": "your-github-token"
         }
       }
     }
   }

3. Create a GitHub Personal Access Token with these scopes:

   • repo (full repository access)
   • security_events (read security events)

For complete setup instructions, see: https://github.com/github/github-mcp-server

Installation

From a Marketplace

If you're installing from a configured marketplace:

/plugin install github-security-scanner@marketplace-name

Local Development Installation

1. Clone this repository:

   git clone https://github.com/harishgarg/security-scanner-plugin.git
   cd security-scanner-plugin

2. Create a local marketplace (for testing):

   mkdir ../dev-marketplace
   cd ../dev-marketplace
   mkdir .claude-plugin
   cat > .claude-plugin/marketplace.json << 'EOF'
   {
     "name": "dev-marketplace",
     "owner": { "name": "Developer" },
     "plugins": [
       {
         "name": "github-security-scanner",
         "source": "../security-scanner-plugin",
         "description": "Security scanner plugin for Claude Code"
       }
     ]
   }
   EOF

3. In Claude Code:

   /plugin marketplace add ./dev-marketplace
   /plugin install github-security-scanner@dev-marketplace

4. Restart Claude Code to activate the plugin

Usage

Quick Dependency Check

Check for vulnerable dependencies in your current repository:

/check-deps

Example output:

Found 3 vulnerable dependencies:
- Critical: [email protected] (CVE-2021-23337)
- High: [email protected] (CVE-2021-3749)
- Medium: [email protected] (CVE-2022-24785)

Run /security-scan for a complete audit.

Scan for Exposed Secrets

Detect exposed API keys, tokens, and credentials:

/check-secrets

What it finds:

• AWS Access Keys
• GitHub Personal Access Tokens
• API keys and credentials
• Private keys and certificates

Comprehensive Security Scan

Run a full security audit with Dependabot, code scanning, and secret detection:

/security-scan

Provides:

• Total vulnerability count
• Breakdown by severity (Critical, High, Medium, Low)
• Top 5 most critical issues with CVE details
• Actionable recommendations
• Prioritized next steps

Explain a Vulnerability

Get plain-English explanations of specific CVEs:

/explain-cve CVE-2021-23337

Or just run it and provide the CVE when prompted.

Example interaction:

User: /explain-cve CVE-2021-23337

Claude: This vulnerability in lodash allows command injection through
template strings. If your app uses lodash templates with user input,
attackers could execute arbitrary code.

Impact: High - Remote Code Execution
Affected: lodash < 4.17.21
Fix: Upgrade to [email protected] or later

Available Commands

Command	Description	Use Case
/security-scan	Full security audit	Regular security reviews
/check-deps	Quick dependency check	Before deployments
/check-secrets	Secret scanning	Pre-commit checks
/explain-cve	Explain vulnerabilities	Understanding security issues

Security Reviewer Agent

The plugin includes a specialized security analyst agent that Claude can invoke automatically when analyzing security issues.

Agent capabilities:

• Vulnerability analysis and risk assessment
• Dependency management advice
• Security best practices
• CVE explanation in developer-friendly language
• Prioritizing fixes based on real-world risk

Claude will automatically use this agent when:

• Analyzing security scan results
• Investigating vulnerabilities
• Planning security remediation
• Reviewing dependency updates

Best Practices

1. Run regular scans: Use /security-scan weekly or before major releases
2. Check before commits: Run /check-secrets to catch exposed credentials
3. Understand vulnerabilities: Use /explain-cve to learn about security issues
4. Prioritize fixes: Focus on Critical and High severity issues first
5. Keep dependencies updated: Address Dependabot alerts promptly

Troubleshooting

"GitHub MCP Server not found"

Make sure the GitHub MCP Server is properly configured in your settings and your GitHub token has the required scopes.

"Repository not found"

Ensure you're running commands from within a Git repository that exists on GitHub and your token has access to it.

Plugin commands not appearing

After installation, restart Claude Code. Check /help to verify the plugin commands are loaded.

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.

License

MIT License - see LICENSE.md for details

Support

For issues or questions:

• Open an issue on GitHub: https://github.com/harishgarg/security-scanner-plugin/issues
• Check Claude Code documentation: https://docs.claude.com

See Also

• Claude Code Plugins Documentation
• GitHub MCP Server
• Model Context Protocol

About me

My name is Harish Garg. I am a solo developer. I write at my blog here.

I also maintain a MCP Resources Directory & a coding ai tools directory