Security

security-scan - Claude MCP Skill

Whole-codebase vulnerability analysis leveraging 1M context window. Loads entire project source, runs deep security analysis in a single pass. Opus 4.6 found 500 zero-day vulnerabilities in pre-release testing — this skill weaponizes that capability.

SEO Guide: Enhance your AI agent with the security-scan tool. This Model Context Protocol (MCP) server allows Claude Desktop and other LLMs to whole-codebase vulnerability analysis leveraging 1m context window. loads entire project source, run... Download and configure this skill to unlock new capabilities for your AI workflow.

🌟1 stars • 1 forks

📥0 downloads

Python API Database SQL CI/CD Docker AWS

View on GitHub🔗 Claude Servers

Documentation

SKILL.md

# /security-scan

Deep security analysis of an entire codebase in a single pass.

## Philosophy

Traditional security scanning is file-by-file. It misses cross-file vulnerabilities: data flows from user input through multiple modules to a dangerous sink. With Opus 4.6's 1M token context, we load the entire project and trace attack surfaces end-to-end.

**This is NOT a replacement for dedicated SAST/DAST tools.** It's a complementary analysis that catches what those tools miss: logic flaws, auth bypasses, business logic vulnerabilities, and cross-module data flow issues.

## Process

### 1. Load Full Codebase

```bash
# Estimate token count
find . -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.jsx" -o -name "*.py" -o -name "*.go" -o -name "*.rs" -o -name "*.rb" | \
  grep -v node_modules | grep -v .next | grep -v dist | grep -v build | \
  xargs wc -l 2>/dev/null | tail -1
```

If under ~200K lines: load everything into context via full file reads.
If over: focus on the attack surface (auth, API routes, data access, user input handlers).

### 2. Map Attack Surface

Read ALL of these file categories:
- **Entry points**: API routes, webhooks, form handlers, CLI commands
- **Auth/authz**: Middleware, guards, session management, JWT handling
- **Data access**: Database queries, ORM models, raw SQL
- **User input**: Form validation, request parsing, file uploads
- **External integrations**: API clients, webhook handlers, OAuth flows
- **Secrets management**: env var usage, config files, .env patterns
- **Infrastructure**: Dockerfile, CI/CD workflows, deployment configs

### 3. Vulnerability Analysis

Spawn `security-sentinel` agent with the full diff/codebase context. Analyze for:

**OWASP Top 10:**
- A01: Broken Access Control — missing auth checks, IDOR, privilege escalation
- A02: Cryptographic Failures — weak hashing, plaintext secrets, insecure transport
- A03: Injection — SQL, NoSQL, OS command, LDAP, XSS
- A04: Insecure Design — business logic flaws, missing rate limiting
- A05: Security Misconfiguration — default creds, verbose errors, open CORS
- A06: Vulnerable Components — outdated deps with known CVEs
- A07: Auth Failures — weak passwords, missing MFA, session issues
- A08: Software/Data Integrity — unsigned updates, insecure deserialization
- A09: Logging Failures — missing audit trails, sensitive data in logs
- A10: SSRF — unvalidated URLs, internal network access

**Cross-Module Analysis (unique to 1M context):**
- Trace user input from entry point through all transformations to sink
- Identify auth bypass paths across middleware chains
- Find data exposure through API response serialization
- Detect race conditions in concurrent operations
- Map trust boundary violations across service calls

### 4. Dependency Audit

```bash
# npm/pnpm
pnpm audit 2>/dev/null || npm audit 2>/dev/null

# Python
pip-audit 2>/dev/null || safety check 2>/dev/null

# Go
govulncheck ./... 2>/dev/null

# Rust
cargo audit 2>/dev/null
```

### 5. Secrets Scan

```bash
# Check for hardcoded secrets
grep -rn "sk_live\|sk_test\|AKIA\|password\s*=\s*['\"]" --include="*.ts" --include="*.js" --include="*.py" --include="*.go" . | grep -v node_modules | grep -v ".env.example"

# Check .env files not in .gitignore
git ls-files --cached | grep -i "\.env$" | head -5
```

## Output Format

```markdown
## Security Scan: [project-name]

**Scope:** [X files, Y lines analyzed]
**Effort:** max
**Date:** [timestamp]

---

### Critical (Immediate Fix Required)
- [ ] `file:line` — [Vulnerability type] — [Description] — [Exploit path]

### High (Fix Before Deploy)
- [ ] `file:line` — [Vulnerability type] — [Description]

### Medium (Fix in Sprint)
- [ ] `file:line` — [Vulnerability type] — [Description]

### Low (Track and Fix)
- [ ] `file:line` — [Vulnerability type] — [Description]

### Dependency Vulnerabilities
| Package | Version | CVE | Severity | Fix Version |
|---------|---------|-----|----------|-------------|

### Cross-Module Findings
- [Data flow from X through Y to Z creates injection risk]
- [Auth middleware skipped on route A when accessed via B]

### Positive Observations
- [Good security patterns found]
- [Well-implemented auth flows]
```

## When to Use

- Before any production deployment
- After adding new API routes or auth logic
- When integrating new external services
- During quarterly security reviews
- After dependency updates

## Related

- `/check-quality` — Includes lightweight security scan
- `/review-branch` — security-sentinel is mandatory reviewer
- `/billing-security` — Payment-specific security patterns

Signals

Avg rating⭐ 0.0

Reviews0

Favorites0

Information

Repository: phrazzld/claude-config
Author: phrazzld
Last Sync: 3/2/2026
Repo Updated: 3/1/2026
Created: 2/5/2026

Reviews (0)

No reviews yet. Be the first to review this skill!

Related Skills

upgrade-nodejs

Upgrading Bun's Self-Reported Node.js Version

⭐ 44050Has guide

cursorrules

CrewAI Development Rules

⭐ 43932Has guide

cn-check

Install and run the Continue CLI (`cn`) to execute AI agent checks on local code changes. Use when asked to "run checks", "lint with AI", "review my changes with cn", or set up Continue CI locally.

⭐ 31808

CLAUDE

CLAUDE.md

⭐ 27345