A comprehensive security scanning command for Claude Code that performs OWASP-based vulnerability analysis using specialized AI agents.
- OWASP Top 10 (Web) - All 10 categories covered
- OWASP API Security Top 10 - All 10 categories covered
- Secret Detection - Finds hardcoded API keys, passwords, tokens
- License Compliance - Detects problematic licenses (GPL, AGPL)
- CVE Checking - Searches for known vulnerabilities in dependencies
- Docker Security - Analyzes Dockerfile and docker-compose (conditional)
- Dependency Audit - Runs native package manager audits (conditional)
- Claude Code CLI installed and configured
- A project to scan
- Clone or download this repository
- Copy the folders to your project's
.claude/directory:
# From your project root
cp -r path/to/claude-code-security-scan/commands .claude/
cp -r path/to/claude-code-security-scan/security .claude/Your project structure should look like:
your-project/
├── .claude/
│ ├── commands/
│ │ └── security-scan.md
│ └── security/
│ ├── agents/
│ │ ├── auth-access.md
│ │ ├── injection.md
│ │ ├── crypto-data.md
│ │ ├── config-infra.md
│ │ ├── api-specific.md
│ │ ├── design-logging.md
│ │ ├── secrets.md
│ │ ├── licenses.md
│ │ ├── cve-check.md
│ │ ├── dependency-audit.md
│ │ └── docker-security.md
│ └── templates/
│ └── report-template.md
├── src/
└── ...
- (Optional) Add
security-reports/to your.gitignore:
echo "security-reports/" >> .gitignoreAfter installation, you can optimize the security scanner for your specific codebase. This reduces scan time and improves accuracy by removing irrelevant checks (e.g., removing Django patterns from a Node.js project).
Run this prompt in Claude Code:
I just installed the security-scan command in .claude/. Please:
1. Analyze my codebase to detect my tech stack (frameworks, ORMs, auth libraries, infrastructure)
2. Read the command files in .claude/commands/security-scan.md and .claude/security/agents/
3. Optimize each security agent by:
- Removing Glob/Grep patterns for technologies I don't use
- Prioritizing vulnerability patterns for my actual frameworks
- Adding project-specific security patterns based on my code conventions
- Adjusting severity levels based on my stack's security best practices
4. Keep the agent structure, OWASP mappings, and output format unchanged
Show me what you'll change before applying.
In Claude Code, run the security scan command:
/security-scan
| Command | Description |
|---|---|
/security-scan |
Full scan (all checks) |
/security-scan quick |
Critical issues only (faster) |
/security-scan api-only |
Backend/API scanning only |
/security-scan web-only |
Frontend scanning only |
/security-scan secrets-only |
Only scan for hardcoded secrets |
/security-scan category:A05 |
Single OWASP Web category |
/security-scan category:API1 |
Single OWASP API category |
| ID | Name | Agent |
|---|---|---|
| A01 | Broken Access Control | auth-access |
| A02 | Security Misconfiguration | config-infra |
| A03 | Software Supply Chain Failures | config-infra |
| A04 | Cryptographic Failures | crypto-data |
| A05 | Injection | injection |
| A06 | Insecure Design | design-logging |
| A07 | Authentication Failures | auth-access |
| A08 | Data Integrity Failures | crypto-data |
| A09 | Security Logging & Alerting Failures | design-logging |
| A10 | Mishandling of Exceptional Conditions | design-logging |
| ID | Name | Agent |
|---|---|---|
| API1 | Broken Object Level Authorization (BOLA) | auth-access |
| API2 | Broken Authentication | auth-access |
| API3 | Broken Object Property Level Authorization | auth-access |
| API4 | Unrestricted Resource Consumption | api-specific |
| API5 | Broken Function Level Authorization (BFLA) | auth-access |
| API6 | Unrestricted Access to Sensitive Business Flows | api-specific |
| API7 | Server-Side Request Forgery (SSRF) | api-specific |
| API8 | Security Misconfiguration | config-infra |
| API9 | Improper Inventory Management | api-specific |
| API10 | Unsafe Consumption of APIs | api-specific |
| ID | Name | Agent | When |
|---|---|---|---|
| SECRET | Hardcoded Secrets | secrets | Always |
| LICENSE | License Compliance | licenses | Always |
| CVE | Known Vulnerabilities | cve-check | Always |
| AUDIT | Dependency Audit | dependency-audit | If package manager detected |
| DOCKER | Docker Security | docker-security | If Dockerfile detected |
- Tech Stack Detection - Automatically detects your frameworks, ORMs, and auth libraries
- Agent Execution - Spawns specialized agents for each security domain
- Finding Collection - Aggregates and deduplicates findings
- Report Generation - Creates a markdown report in
security-reports/ - Fix Mode - Optionally offers to fix Critical/High issues
Reports are saved to security-reports/YYYY-MM-DD-HHmm-scan.md with:
- Executive Summary (severity counts)
- Critical Findings (full details + remediation)
- High Findings (full details + remediation)
- Medium Findings (abbreviated)
- Low Findings (list format)
- Recommendations (prioritized actions)
The scanner auto-detects and adapts to:
Backend:
- NestJS, Express, Fastify, Hapi
- TypeORM, Prisma, Sequelize, Mongoose
- Passport, JWT authentication
Frontend:
- Angular, React, Vue, Svelte, Next.js
Infrastructure:
- Docker, Docker Compose
- npm, pnpm, yarn, pip
To adapt for your specific needs:
- Tech stack detection - Modify Step 1 in
security-scan.md - Agent behavior - Edit individual agents in
security/agents/ - Report format - Modify
security/templates/report-template.md - Severity thresholds - Adjust in agent files
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
MIT License - see LICENSE file.
This tool performs static analysis and pattern matching. It may produce false positives and cannot guarantee detection of all vulnerabilities. Always perform manual security reviews and penetration testing for production systems.