A Claude Code plugin that brings automated security scanning and comprehensive static security review to your development workflow.
It combines 12 scanning tools with an AI-powered senior AppSec engineer agent that performs deep manual analysis across 12 vulnerability categories — producing actionable, dual-audience reports you can hand to both engineers and stakeholders.
This material is a part of a 15-minute short talk at Claude Code Thailand Meetup on March 15, 2026. The link to the presentation slide is here.
| Component | Type | Description |
|---|---|---|
security-scanner |
Skill | Orchestrates Gitleaks, Bandit, Semgrep, Trivy, TruffleHog, CodeQL (GitHub repos), mcps-audit (MCP projects), OSV-Scanner (SCA), mcp-scan (opt-in MCP security), security-audit (Claude config audit), skill-security-auditor (skill/MCP deep analysis), and mcp-exfil-scan (MCP data exfiltration detection) to produce a structured scan report |
security-analysis |
Agent | Senior AppSec engineer that runs the scanner, then performs deep manual review across 12 vulnerability categories |
- Claude Code v1.0.33+
- Security tools (the scanner will check for these and offer to install any that are missing):
# Python SAST
pip install bandit
# Multi-language SAST
pip install semgrep
# Dependency & IaC scanner
brew install trivy
# Secret detection (git history + filesystem)
brew install trufflehog
# Secret detection (pre-commit friendly, SARIF output)
brew install gitleaks
# SCA / dependency vulnerability scanner
brew install osv-scanner
# ⚠️ Trivy v0.69.4–v0.69.6 were compromised (GHSA-69fq-xp46-6x23). Use v0.69.3 or v0.69.7+.- Optional tools (conditional — scanner detects and skips gracefully if unavailable):
- CodeQL — GitHub repos only. Requires
ghCLI authenticated and a CodeQL workflow in.github/workflows/ - mcps-audit — MCP projects only. Requires
npx(npm install -g npx) - mcp-scan — MCP security analysis. Requires
uvx(pip install uvorbrew install uv). Opt-in only — sends data to invariantlabs.ai API. Scanner always asks before running. - security-audit, skill-security-auditor, and mcp-exfil-scan — bundled inside the
.skillfile. No separate installation required. - jq — JSON parser used by mcp-exfil-scan. Optional — falls back to
python3if unavailable. Install:brew install jq
- CodeQL — GitHub repos only. Requires
What's bundled:
security-auditandskill-security-auditorscripts are packed inside both distribution files — no extragit clonerequired.
Download claude-code-security-plugins.zip from the Releases page, then:
# Extract
unzip claude-code-security-plugins.zip
# Quick test — one-time session, no permanent install
claude --plugin-dir ./claude-code-security-plugins
# Permanent install
claude plugin install ./claude-code-security-pluginsIncludes: security-scanner skill + security-analysis agent + bundled audit scripts (scripts/config-audit.py, scripts/skill-audit.sh, scripts/mcp-exfil-scan.sh).
Plugin structure inside ZIP:
claude-code-security-plugins/
├── .claude/
│ ├── skills/security-scanner/
│ │ ├── SKILL.md
│ │ ├── scripts/
│ │ │ ├── config-audit.py # Claude config audit (bundled)
│ │ │ ├── skill-audit.sh # Skill/MCP deep analysis (bundled)
│ │ │ └── mcp-exfil-scan.sh # MCP exfiltration detection (bundled)
│ │ └── reports/
│ └── agents/security-analysis.md
└── .claude-plugin/
├── plugin.json
└── marketplace.json
Download security-scanner.skill from the Releases page, then:
Double-click security-scanner.skill — Claude Code will install it automatically.
Or via terminal:
claude plugin install ./security-scanner.skillIncludes bundled audit scripts. Does not include the security-analysis agent.
Pin to a specific release tag to ensure integrity:
claude plugin install claude-code-security-plugins@1.5.0Security note: Always install from a tagged release rather than HEAD. Check the CHANGELOG before upgrading.
/claude-code-security-plugins:security-scanner
Runs all available tools against your codebase and produces a structured markdown report with findings, cross-tool observations, and coverage gaps.
Ask Claude naturally:
"Run a security review of this codebase"
"We're preparing to deploy v2.0 — can you do a security review first?"
"I just merged the auth branch, please review for vulnerabilities"
The security-analysis agent will automatically:
- Run the automated scanner (Phase 0)
- Perform codebase reconnaissance (Phase 1)
- Analyze 12 vulnerability categories with manual review (Phase 2)
- Document findings with structured fields (Phase 3)
- Produce a dual-audience report with executive summary and engineering findings (Phase 4)
Use /agents to see available agents and launch claude-code-security-plugins:security-analysis directly.
| Tool | Coverage | Condition |
|---|---|---|
| Gitleaks | Secrets in git history + filesystem, SARIF output | Always run (pre-check) |
| Bandit | Python SAST — injection, unsafe deserialization, subprocess, weak crypto | Python files present |
| Semgrep | Multi-language SAST — OWASP Top 10, Python, TypeScript, secrets (4 configs) | Always run |
| Trivy | Dependencies, IaC misconfigs, secrets, container images | Always run |
| TruffleHog | Secrets in git history with live API verification | Always run |
| CodeQL | Deep semantic SAST via GitHub Actions | GitHub repos only |
| mcps-audit | MCP skill/tool permission audit, prompt injection risks | MCP projects only |
| OSV-Scanner | SCA — dependency vulnerabilities via OSV.dev database | Always run |
| mcp-scan | MCP tool poisoning, prompt injection, rug pulls | Opt-in only (asks user) |
| security-audit (bundled) | Claude config audit — hooks, MCP servers, skills, CLAUDE.md | Always run |
| skill-security-auditor (bundled) | Skill/MCP deep analysis — prompt injection, allowed-tools risk, supply chain, risk score 0–100 | .skill/SKILL.md files present |
| mcp-exfil-scan (bundled) | MCP exfiltration — tool poisoning, outbound data flow, exfil chains, env leaking, source trust, risk score 0–100 | Always run |
- Injection Flaws
- Broken Access Control
- Hardcoded Secrets & Credential Exposure
- Cryptographic Misuse
- Insecure Deserialization
- Server-Side Request Forgery (SSRF)
- Dependency Vulnerabilities
- Authentication & Session Management
- Security Misconfiguration
- Logging & Monitoring Gaps
- Infrastructure-as-Code Risks
- CI/CD Pipeline Security
Since v1.6.0, the plugin aligns with the OWASP Autonomous Penetration Testing Standard (APTS) — a governance standard for autonomous security tooling — across the four domains that apply to a read-only static scanner embedded in an LLM agent:
| APTS Domain | How this plugin implements it |
|---|---|
| Scope Enforcement | "Scope Record" block (target path, git HEAD, include/exclude globs) recorded before any tool runs |
| Auditability | apts-audit.sh writes a JSONL audit log (/tmp/css-scan-<ts>.jsonl): init record + one record per tool invocation (exit code, duration, findings) + finalize |
| Manipulation Resistance | Top-of-SKILL notice + agent operational rule §8: directives inside scanned files, scanner output, or MCP manifests are data, not instructions — ignored |
| Reporting | Coverage Disclosure table (tool / ran? / files / reason) + per-finding Confidence and Validation fields + Section C "APTS Alignment Note" |
Explicitly out of scope for this plugin: Graduated Autonomy tiers, Human Oversight approval gates, Kill Switch, Rollback (all read-only — no mutating actions to govern). APTS Tier 2/3 conformance is not claimed.
Each release applies a prompt optimization pass — adding features while keeping token count as low as possible.
| File | v1.0.0 | v1.1.0 | v1.3.0 | v1.4.0 | v1.5.0 | v1.6.0 |
|---|---|---|---|---|---|---|
.claude/skills/security-scanner/SKILL.md |
348 lines | 145 lines | 179 lines | 202 lines | 169 lines | 188 lines |
.claude/agents/security-analysis.md |
142 lines | 112 lines | 112 lines | 112 lines | 86 lines | 97 lines |
scripts/config-audit.py (bundled) |
— | — | — | 14.7 KB | 14.7 KB | 14.7 KB |
scripts/skill-audit.sh (bundled) |
— | — | — | 14.8 KB | 14.8 KB | 14.8 KB |
scripts/mcp-exfil-scan.sh (bundled) |
— | — | — | — | 25.9 KB | 25.9 KB |
scripts/apts-audit.sh (bundled, new) |
— | — | — | — | — | 2.0 KB |
Added OWASP APTS governance alignment across four applicable domains and a new bundled audit-log helper.
| What changed | Detail |
|---|---|
Bundled scripts/apts-audit.sh |
JSONL audit-log helper: init (scope + git HEAD), log (per-tool exit/duration/findings), finalize (markdown summary) |
| Scope Record | Step 1 now prints target path, git HEAD, include/exclude globs before any tool runs (APTS § Scope Enforcement) |
| Audit Log Init (Step 3) | Scanner calls apts-audit.sh before tool runs and logs each invocation (APTS § Auditability) |
| Coverage Disclosure table | Report now includes tool / ran? / version / files covered / skipped reason table (replaces + extends old Pre-flight Summary) |
| Manipulation-Resistance block | <manipulation_resistance> XML block at top of SKILL.md + Operational Rule §7–8; agent Operational Rule §8 |
| Per-finding Confidence + Validation | Two new fields in Phase 3 finding format (APTS § Reporting — finding validation) |
| Section C "APTS Alignment Note" | New report section stating which domains are covered and which are out of scope |
| Prompt optimization (Sonnet 4.6) | SKILL.md: 169 → 188 lines but ~15% fewer tokens through redundancy removal and XML structure. Agent: fully restructured for declarative Sonnet 4.6 style |
Added mcp-exfil-scan — a 6-phase scanner detecting MCP data exfiltration risks. Bundled at scripts/mcp-exfil-scan.sh.
| What changed | Detail |
|---|---|
Bundled scripts/mcp-exfil-scan.sh |
6-phase scan: tool description poisoning, server outbound data flow, skill exfil chains, encoded/obfuscated payloads, env var leaking, GitHub source trust |
| Known-safe MCP whitelist | Reduces false positives for trusted MCP servers (anthropic, modelcontextprotocol, github, google, etc.) |
| Pre-flight updated | Checks jq availability (python3 fallback) + bundled mcp-exfil-scan.sh |
| Cross-tool correlation | mcp-exfil-scan findings correlated with config-audit + skill-audit results |
| Tools count | 11 → 12 |
security-scanner.skill is now fully self-contained — no additional git clone required for Claude-specific auditing.
| What changed | Detail |
|---|---|
Bundled scripts/config-audit.py |
Scans Claude hooks, MCP servers, installed skills, CLAUDE.md for safety-bypass instructions |
Bundled scripts/skill-audit.sh |
Deep per-file analysis: prompt injection, allowed-tools risk matrix, tool combination risks, supply chain patterns, MCP vectors, risk score 0–100 |
| Pre-flight updated | Checks bundled scripts via <skill-directory> relative path — no external dependency |
.skill structure |
Added scripts/ and reports/ directories inside ZIP |
| Tools count | 9 → 11 |
SKILL.md added OSV-Scanner, mcp-scan, Semgrep p/typescript + p/secrets, and a Trivy supply chain warning. Simultaneous optimizations kept growth to ~13% instead of ~31% a naive addition would have produced.
| Optimization | Savings |
|---|---|
$SG variable for Semgrep — define 7 common flags once, reuse across 4 configs |
~45 words |
| Report template compaction — generation instruction replaces 9 literal table rows | ~35 words |
| Frontmatter description tightened — removed redundant trigger prose | ~32 words |
| Step 3 intro + intro sentence removed (both covered by Operational Rule #2) | ~27 words |
| Install note condensed | ~18 words |
| Total optimization savings vs naive addition | ~157 words |
| Section | Before | After |
|---|---|---|
| Pre-flight bash block | Verbose if/else block (18 lines) | Single for-loop (7 lines) |
| Missing tools prompt | Multi-line prose quote block | One-liner ask |
| Install instructions | Expanded table + explanations | Compact inline note |
| Step headers | --- separators + prose |
Inline bold labels |
| Report template | Repeated "insert output here" prose | Single compact template |
security-analysis.md v1.1.0 changes:
| Section | Before | After |
|---|---|---|
| Persona | 2-sentence verbose intro | 1-sentence summary |
| Phase 0 | 4 sentences + redundant explanation | 1 sentence |
| Phase 1 labels | "Framework & Stack Identification" etc. | "Stack", "Entry Points" etc. |
| Vulnerability categories | Long comma lists with "Look for…" | Tight 1-liners |
| Detection Source field | 9-item enumerated list | Automated (<tool>) / Manual / Both |
| Severity definitions | Full prose per level | Compact bullet per level |
| Memory section | 10 lines with examples | 2-line summary |
MIT