Showing 28 verified skills. 284 preview entries are hidden until we confirm a real source. Show preview skills · Why?
Find known CVEs in dependencies with severity scores and fix guidance
claude install community/security-vuln-scannerSecurity scanning: audit npm/pip/cargo dependencies against CVE databases, scan code for vulnerability patterns, score severity, and produce remediation plans.
This is the actual SKILL.md file that powers this skill. Copy it to install.
---
name: security-vuln-scanner
description: |
Trigger when the user asks to scan for security vulnerabilities, audit a
codebase for security issues, check CVE status of dependencies, or run
a security review. Phrases: "security scan", "vuln audit", "security review",
"CVE check", "audit dependencies".
allowed-tools:
- Read
- Grep
- Bash(npm audit *)
- Bash(pnpm audit *)
- Bash(snyk *)
- Bash(semgrep *)
---
# Security Vulnerability Scanner
Audit a codebase for known CVEs in dependencies and common application
vulnerabilities in first-party code. Produce a report ranked by exploitability.
## Prerequisites
- Package manager locked (pnpm-lock, package-lock, or requirements.txt)
- `npm audit`, `pnpm audit`, or `snyk` available
- Optional: `semgrep` installed for SAST scanning
## Steps
1. **Dependency audit first (fastest signal):**
```bash
pnpm audit --prod --json > deps-audit.json
```
Parse and bucket by severity: CRITICAL, HIGH, MODERATE, LOW.
2. **For every HIGH/CRITICAL, determine:**
- Is the vulnerable code path actually reachable from your entry points?
- Is there a patched version?
- Can you update, or do you need to fork / pin / accept risk?
3. **SAST scan for first-party code.** Use semgrep with the default ruleset:
```bash
semgrep --config auto src/ > sast-report.json
```
Common finds:
- SQL injection via string interpolation
- XSS via innerHTML / dangerouslySetInnerHTML
- Hardcoded secrets
- Insecure randomness (Math.random for tokens)
- Open redirects
4. **Secret scan via gitleaks or similar:**
```bash
gitleaks detect --source . --redact
```
False positive rate is meaningful; skim manually, do not just accept blindly.
5. **Produce a three-section report:**
- **Ship-blockers** (critical CVEs in prod deps, RCE findings, exposed secrets)
- **This sprint** (high severity, exploitable user-input paths)
- **Backlog** (moderate, low exploitability)
6. **Track suppressions explicitly.** If you accept a risk, document it in
`security/accepted-risks.md` with reason and review date. Never silently
ignore a finding.
## Common real findings worth looking for
- `dangerouslySetInnerHTML` with user-controlled input
- `JSON.parse` of user-controlled input (prototype pollution on old Node)
- SSRF via server-side fetch with user-controlled URLs
- CORS configured too permissive (`*`)
- Auth checks in middleware but not in API routes
## Output
- `security-scan.md` report with findings bucketed by severity
- PR that fixes ship-blockers and high-severity issues
- `accepted-risks.md` for anything deferred
mkdir -p ~/.claude/skills/security-vuln-scanner~/.claude/skills/security-vuln-scanner/SKILL.mdResulting file structure:
~/.claude/
skills/
security-vuln-scanner/
SKILL.md <-- skill definitionSkills are loaded automatically by Claude Code when you start a new session. The skill name and description in the frontmatter determine when Claude triggers it.
Recommended from shared domain, career, and tool overlap with Vulnerability Scanner
Inspect Redis keys, TTLs, and cache hit rates from your AI editor
Both used by Software Engineer, DevOps Engineer
Find leaked API keys and credentials before they cause a breach
Both used by Software Engineer, DevOps Engineer
Query Sentry errors and analyze stack traces from your AI editor
Both used by Software Engineer, DevOps Engineer
Generate safe database migrations with rollback and zero-downtime plans
Both used by Software Engineer, DevOps Engineer
Generate realistic load test scripts with traffic patterns and thresholds
Both used by Software Engineer, DevOps Engineer
Scaffold production-ready microservices with all the boilerplate done
Both used by Software Engineer, DevOps Engineer
Vulnerability Scanner