A Claude Code plugin that brings automated security scanning and comprehensive static security review to your development workflow.
It combines four industry-standard scanning tools with an AI-powered senior AppSec engineer agent that performs deep manual analysis across 12 vulnerability categories — producing actionable, dual-audience reports you can hand to both engineers and stakeholders.
This material is a part of a 15-minute short talk at Claude Code Thailand Meetup on March 15, 2026. The link to the presentation slide is here.
| Component | Type | Description |
|---|---|---|
security-scanner |
Skill | Orchestrates Bandit, Semgrep, Trivy, and TruffleHog to produce a structured scan report |
security-analysis |
Agent | Senior AppSec engineer that runs the scanner, then performs deep manual review across 12 vulnerability categories |
- Claude Code v1.0.33+
- Security tools (the scanner will check for these and offer to install any that are missing):
# Python SAST
pip install bandit
# Multi-language SAST
pip install semgrep
# Dependency & IaC scanner
brew install trivy
# Secret detection
brew install trufflehogclaude --plugin-dir ./claude-code-security-pluginsclaude plugin install claude-code-security-plugins/claude-code-security-plugins:security-scanner
Runs all four tools against your codebase and produces a structured markdown report with findings, cross-tool observations, and coverage gaps.
Ask Claude naturally:
"Run a security review of this codebase"
"We're preparing to deploy v2.0 — can you do a security review first?"
"I just merged the auth branch, please review for vulnerabilities"
The security-analysis agent will automatically:
- Run the automated scanner (Phase 0)
- Perform codebase reconnaissance (Phase 1)
- Analyze 12 vulnerability categories with manual review (Phase 2)
- Document findings with structured fields (Phase 3)
- Produce a dual-audience report with executive summary and engineering findings (Phase 4)
Use /agents to see available agents and launch claude-code-security-plugins:security-analysis directly.
| Tool | Coverage |
|---|---|
| Bandit | Python SAST — injection, pickle, subprocess, weak crypto |
| Semgrep | Multi-language SAST — OWASP Top 10 + Python-specific rules |
| Trivy | Dependencies, IaC misconfigs, secrets, container images |
| TruffleHog | Secrets in git history with live API verification |
- Injection Flaws
- Broken Access Control
- Hardcoded Secrets & Credential Exposure
- Cryptographic Misuse
- Insecure Deserialization
- Server-Side Request Forgery (SSRF)
- Dependency Vulnerabilities
- Authentication & Session Management
- Security Misconfiguration
- Logging & Monitoring Gaps
- Infrastructure-as-Code Risks
- CI/CD Pipeline Security
MIT