Claude Code Plugins

Community-maintained marketplace

Feedback

security-scanning

@pwarnock/liaison-toolkit
2
0

Security scanning with dependency audits, secret detection, static analysis, and vulnerability management. Use when checking for vulnerabilities, scanning dependencies, or enforcing security gates.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-scanning
description Security scanning with dependency audits, secret detection, static analysis, and vulnerability management. Use when checking for vulnerabilities, scanning dependencies, or enforcing security gates.
license MIT
metadata [object Object]

Security Scanning

Security vulnerability detection, secret scanning, and compliance checking for TypeScript and Node.js projects.

When to use this skill

Use this skill when:

  • Checking for dependency vulnerabilities
  • Scanning for exposed secrets in code or commits
  • Running static code analysis
  • Enforcing security gates before deployment
  • Reviewing code for security issues
  • Auditing package manifests

Dependency Auditing

Bun Audit

# Check for vulnerabilities in dependencies
bun audit

# Fix vulnerabilities automatically (interactive)
bun audit --fix

# Check production dependencies only
bun audit --production

# Generate audit report
bun audit --report-format json > audit-report.json

npm Audit (alternative)

# Standard audit
npm audit

# Fix vulnerabilities automatically
npm audit fix

# Audit specific severity levels
npm audit --audit-level moderate
npm audit --audit-level high

Snyk Integration

# Install Snyk CLI
bun install -g snyk

# Scan dependencies
snyk test

# Scan with all vulnerabilities shown
snyk test --severity-threshold=low

# Generate SARIF report
snyk test --sarif-file security-results.sarif

Dependency Allowlists

// .npmrc or .yarnrc
{
  "auditConfig": {
    "allowlist": [
      "package@1.0.0",
      "another-package@2.x.x"
    ]
  }
}

Secret Detection

Git Pre-commit Hooks

# .git/hooks/pre-commit
#!/bin/bash

# Scan for secrets before committing
SECRETS=$(git diff --cached --name-only | xargs grep -lE 'password|secret|key|token')

if [ -n "$SECRETS" ]; then
  echo "Error: Potential secrets found in staged files:"
  echo "$SECRETS"
  exit 1
fi

Gitleaks Integration

# Install gitleaks
bun install -g gitleaks

# Scan repository
gitleaks detect --source HEAD

# Scan with config
gitleaks detect --config .gitleaks.toml

# Prevent leaks in commits
gitleaks protect

Secret Patterns

// Common secret patterns to detect
const SECRET_PATTERNS = [
  /password\s*=\s*['"][^'"]+['"]/i,
  /api[_-]?key\s*=\s*['"][^'"]+['"]/i,
  /secret[_-]?key\s*=\s*['"][^'"]+['"]/i,
  /token\s*=\s*['"][^'"]+['"]/i,
  /bearer\s+[\s:]+['"][a-z0-9]{20,}/i,
  /aws[_-]access[_-]key[_-]id\s*=\s*['"][a-z0-9]{20,}/i,
  /private[_-]key\s*=\s*-----BEGIN\s+(RSA|EC|OPENSSH)/i,
];

// Scan files
function scanForSecrets(content: string): string[] {
  const secrets: string[] = [];
  for (const pattern of SECRET_PATTERNS) {
    const matches = content.match(pattern);
    if (matches) secrets.push(...matches);
  }
  return secrets;
}

Static Code Analysis

TypeScript Strict Mode

// tsconfig.json
{
  "compilerOptions": {
    "strict": true,
    "noUnusedLocals": true,
    "noUnusedParameters": true,
    "noImplicitReturns": true,
    "noFallthroughCasesInSwitch": true
  }
}

ESLint Security Rules

// .eslintrc.js
module.exports = {
  rules: {
    'no-eval': 'error',
    'no-implied-eval': 'error',
    'no-new-func': 'error',
    'no-script-url': 'error',
    'security/detect-object-injection': 'error',
    'security/detect-non-literal-regexp': 'error',
    'security/detect-possible-timing-attacks': 'error'
  }
};

Security Linting Tools

# ESLint with security plugin
bun eslint src --plugin security

# Bandit for Python (if applicable)
bandit -r src/

# Semgrep for custom security rules
semgrep --config security.yaml src/

Vulnerability Management

CVSS Scoring

CVSS Base Score:
0.0 - 3.9: LOW
4.0 - 6.9: MEDIUM
7.0 - 10.0: HIGH
10.1 - 10.0: CRITICAL

Fixing Vulnerabilities

# Review vulnerability report
bun audit --json | jq '.vulnerabilities[] | select(.severity == "high")'

# Update vulnerable package
bun update package-name

# Update all vulnerable packages
bun update

# Install specific patched version
bun install package-name@patched-version

Security Gates

CI Security Check

# .github/workflows/security.yml
name: Security Scan

on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run security audit
        run: |
          bun audit --json > audit-results.json
      - name: Check for vulnerabilities
        run: |
          HIGH_VULNS=$(jq '.vulnerabilities | length | select(.severity == "high") | length' audit-results.json)
          if [ "$HIGH_VULNS" -gt 0 ]; then
            echo "Found $HIGH_VULNS high severity vulnerabilities"
            exit 1
          fi
      - name: Upload results
        uses: actions/upload-artifact@v4
        with:
          name: audit-results
          path: audit-results.json

Pre-deployment Checklist

# Security checks before deployment
bun run security-check

# Should verify:
# - No high/critical vulnerabilities
# - No secrets in code
# - All security linting passes
# - Dependencies are up to date
# - No deprecated packages used

Compliance Standards

OWASP Top 10

Issue Prevention
Injection Use prepared statements, parameterized queries
Broken Authentication Implement proper auth mechanisms
Sensitive Data Exposure Encrypt data at rest
XML External Entities Use safe XML parsers
Broken Access Control Implement RBAC
Security Misconfiguration Follow security best practices
XSS Sanitize user input, escape output
Insecure Deserialization Use safe deserialization
Using Components with Known Vulnerabilities Keep dependencies updated
Insufficient Logging Log security events

Security Headers

// Set security headers
import { NextResponse } from 'next/server';

export function GET(request: Request) {
  return NextResponse.json(data, {
    headers: {
      'Content-Security-Policy': "default-src 'self'",
      'X-Frame-Options': 'DENY',
      'X-Content-Type-Options': 'nosniff',
      'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
      'X-XSS-Protection': '1; mode=block'
    }
  });
}

Verification

After implementing security checks:

  • Dependency audit runs on every build
  • Secret detection in pre-commit hooks
  • Security gate blocks vulnerable deployments
  • High/critical vulnerabilities addressed promptly
  • Static analysis findings are reviewed
  • Security headers configured
  • No secrets in repository history
  • Security documentation is maintained

Examples from liaison-toolkit

Example 1: Security Audit in CI

# .github/workflows/security.yml
- name: Audit dependencies
  run: |
    bun audit --json > results.json

- name: Check for critical vulnerabilities
  run: |
    CRITICAL=$(jq '.vulnerabilities | map(select(.severity == "critical")) | length' results.json)
    if [ "$CRITICAL" -gt 0 ]; then
      echo "CRITICAL vulnerabilities found!"
      exit 1
    fi

Example 2: Pre-commit Secret Scan

# .githooks/pre-commit
#!/usr/bin/env bun

import { execSync } from 'child_process';

const FILES = execSync('git diff --cached --name-only', { encoding: 'utf-8' });
const SECRET_PATTERNS = ['password', 'secret', 'api_key', 'token', 'private_key'];

for (const file of FILES.split('\n')) {
  if (!file.trim()) continue;

  const content = execSync(`git show :${file}`, { encoding: 'utf-8' });

  for (const pattern of SECRET_PATTERNS) {
    if (content.toLowerCase().includes(pattern)) {
      console.error(`Error: Potential secret found in ${file}`);
      process.exit(1);
    }
  }
}

Related Resources