Skip to content

security

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

security

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
.claude-plugin
.claude-plugin
 
 
agents
agents
 
 
commands
commands
 
 
skills
skills
 
 
README.md
README.md
 
 

README.md

Security Plugin

Comprehensive security plugin for Claude Code covering application security, DevSecOps, and infrastructure security.

Installation

/plugin install security@melodic-software

Overview

This plugin provides 13 security-focused skills, 4 specialized agents, and 5 slash commands for full-stack developers who both write secure code AND manage CI/CD pipelines.

Skills

Skill Description
secure-coding OWASP Top 10 2021, CWE Top 25, language-specific security patterns
authentication-patterns JWT, OAuth 2.0, OIDC, Passkeys/FIDO2, MFA, session management
authorization-models RBAC, ABAC, ACL, ReBAC, policy-as-code with OPA
cryptography Algorithm selection, password hashing, TLS configuration, key management
api-security Rate limiting, input validation, CORS, API authentication, BOLA protection
secrets-management HashiCorp Vault, AWS Secrets Manager, rotation, CI/CD secrets
supply-chain-security SBOM, SLSA, SCA, dependency scanning, code signing
devsecops-practices SAST/DAST/IAST, security gates, shift-left, vulnerability management
container-security Docker hardening, Kubernetes security, image scanning, runtime protection
zero-trust ZTNA, micro-segmentation, identity-first security, BeyondCorp
threat-modeling STRIDE, DREAD, attack trees, threat modeling tools (pytm, Threagile)
vulnerability-management CVE tracking, CVSS scoring, EPSS, KEV, remediation workflows
ai-governance AI system security, ML model governance, responsible AI practices

Agents

Agent Model Purpose
security-auditor Sonnet Code review for OWASP Top 10, CWE vulnerabilities, security anti-patterns
threat-modeler Sonnet STRIDE analysis, attack vector identification, security control recommendations
secrets-scanner Haiku Fast pattern-matching for hardcoded secrets, API keys, credentials
dependency-checker Sonnet CVE analysis, vulnerable dependency detection, remediation guidance

Commands

Command Description
/security:audit Run security audit on code files, directories, or git changes
/security:scan-secrets Scan for hardcoded secrets and credentials
/security:check-deps Check dependencies for known CVEs
/security:threat-model Generate threat model for a component or feature
/security:review Comprehensive security review (all checks combined)

Usage Examples

Security Audit

# Audit entire project
/security:audit

# Audit specific directory
/security:audit src/api/

# Audit staged changes (pre-commit)
/security:audit --staged

# Audit PR changes
/security:audit --pr

Secrets Scanning

# Scan current directory
/security:scan-secrets

# Scan entire repository
/security:scan-secrets --all

# Pre-commit scan
/security:scan-secrets --staged

Dependency Checking

# Auto-detect and check all ecosystems
/security:check-deps

# Check specific ecosystem
/security:check-deps --npm
/security:check-deps --pip
/security:check-deps --dotnet

Threat Modeling

/security:threat-model user authentication system
/security:threat-model REST API for payment processing
/security:threat-model microservices architecture

Comprehensive Review

# Full security review (audit + secrets + deps)
/security:review

# Review PR before merge
/security:review --pr

Skill Activation

Skills activate automatically based on context. Example triggers:

  • secure-coding: "prevent SQL injection", "OWASP", "XSS", "input validation"
  • authentication-patterns: "JWT security", "OAuth flow", "implement MFA"
  • cryptography: "password hashing", "encryption algorithm", "TLS configuration"
  • threat-modeling: "STRIDE analysis", "create threat model", "attack tree"

Architecture

plugins/security/
├── .claude-plugin/
│   └── plugin.json
├── README.md
├── skills/
│   ├── secure-coding/
│   ├── authentication-patterns/
│   ├── authorization-models/
│   ├── cryptography/
│   ├── api-security/
│   ├── secrets-management/
│   ├── supply-chain-security/
│   ├── devsecops-practices/
│   ├── container-security/
│   ├── zero-trust/
│   ├── threat-modeling/
│   └── vulnerability-management/
├── agents/
│   ├── security-auditor.md
│   ├── threat-modeler.md
│   ├── secrets-scanner.md
│   └── dependency-checker.md
└── commands/
    ├── audit.md
    ├── scan-secrets.md
    ├── check-deps.md
    ├── threat-model.md
    └── review.md

Coverage

OWASP Top 10 2021

  • ✅ A01: Broken Access Control
  • ✅ A02: Cryptographic Failures
  • ✅ A03: Injection
  • ✅ A04: Insecure Design
  • ✅ A05: Security Misconfiguration
  • ✅ A06: Vulnerable Components
  • ✅ A07: Authentication Failures
  • ✅ A08: Software and Data Integrity
  • ✅ A09: Security Logging & Monitoring
  • ✅ A10: Server-Side Request Forgery

DevSecOps Pipeline

  • ✅ SAST (Static Analysis)
  • ✅ SCA (Software Composition Analysis)
  • ✅ Secrets Detection
  • ✅ Container Image Scanning
  • ✅ SBOM Generation
  • ✅ Security Gates

Compliance Frameworks

  • OWASP ASVS
  • NIST Cybersecurity Framework
  • CIS Controls
  • SLSA Supply Chain Security

License

MIT