Claude Code Plugins

Community-maintained marketplace

Feedback

security-scan-local

@gar-ai/mallorn
1
0

Run security scans locally (Semgrep, Trivy, Gitleaks) to detect vulnerabilities, secrets, and code issues before pushing. Use when the user wants to check for security issues, scan dependencies, or validate code security.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-scan-local
description Run security scans locally (Semgrep, Trivy, Gitleaks) to detect vulnerabilities, secrets, and code issues before pushing. Use when the user wants to check for security issues, scan dependencies, or validate code security.

Security Scan Local

Runs the same security scans locally that execute in CI/CD, allowing developers to catch security issues before pushing code. This skill orchestrates three industry-standard security tools:

  • Semgrep: Static code analysis for security vulnerabilities and OWASP Top 10
  • Trivy: Dependency vulnerability scanning and IaC misconfiguration detection
  • Gitleaks: Secret detection in code and git history

Available Scripts

check.py

Checks if required security tools are installed and provides installation instructions.

python3 check.py

When to use: Before running scans for the first time, or to verify tool installation.

run.py

Runs all three security scans with the same configuration as CI/CD.

python3 run.py                    # Run all scans
python3 run.py --tool semgrep     # Run specific tool
python3 run.py --tool trivy       # Run Trivy only
python3 run.py --tool gitleaks    # Run Gitleaks only
python3 run.py --fast             # Skip Trivy IaC scan for speed

Exit codes:

  • 0: All scans passed (no issues found)
  • 1: Security issues found (matches CI behavior)
  • 2: Tool not installed or error

When to use: Before committing/pushing code to catch security issues early.

semgrep.py

Runs Semgrep code security analysis with OWASP Top 10 and language-specific rulesets.

python3 semgrep.py                # Standard scan
python3 semgrep.py --path ./src   # Scan specific directory
python3 semgrep.py --all          # Include all severity levels

Scans for:

  • SQL injection, XSS, command injection
  • Insecure deserialization
  • Authentication/authorization flaws
  • Language-specific vulnerabilities (Rust, Python, TypeScript)

When to use: Quick code security check, or when working on authentication/data handling code.

trivy.py

Runs Trivy dependency and infrastructure-as-code scanning.

python3 trivy.py                      # Scan dependencies + IaC
python3 trivy.py --deps-only          # Dependencies only (faster)
python3 trivy.py --iac-only           # IaC only
python3 trivy.py --path ./service     # Scan specific path

Scans for:

  • Vulnerable dependencies (npm, pip, cargo packages)
  • Terraform misconfigurations
  • Kubernetes security issues
  • Dockerfile best practice violations

When to use: After updating dependencies, or when modifying infrastructure code.

gitleaks.py

Runs Gitleaks secret detection across code and git history.

python3 gitleaks.py                # Full scan including history
python3 gitleaks.py --staged       # Staged files only (pre-commit)
python3 gitleaks.py --uncommitted  # Uncommitted changes only

Detects:

  • API keys, tokens, passwords
  • AWS credentials, private keys
  • Database connection strings
  • Any hardcoded secrets

When to use: Before committing, especially when working with credentials or environment files.

Workflow Examples

User says: "Run security scans"

python3 run.py

Runs all three tools with CI/CD configuration.

User says: "Check for secrets before committing"

python3 gitleaks.py --staged

Scans only staged files for secrets (fast pre-commit check).

User says: "Scan this service for vulnerabilities"

python3 trivy.py --path ./mercury-clustering

Scans a specific service directory.

User says: "Quick code security check"

python3 semgrep.py

Runs static analysis on all code.

User says: "Are the security tools installed?"

python3 check.py

Verifies tool installation and shows how to install missing tools.

Installation

The scripts will detect missing tools and provide installation commands. On macOS:

brew install semgrep trivy gitleaks

On other platforms, see tool-specific installation guides.

Notes

  • Matches CI/CD: Uses identical configuration to GitHub Actions workflows
  • Severity levels: Blocks on CRITICAL, HIGH, and MEDIUM (same as CI)
  • Test exclusions: Respects .semgrepignore, .gitleaksignore, .trivyignore
  • Performance: Full scan takes 5-6 minutes (same as CI); use --fast or tool-specific flags for quicker checks
  • SARIF output: Scripts can generate SARIF format for IDE integration (use --sarif flag)