Skip to main content
Independent directory. Not affiliated with Anthropic. Disclaimer

Security Code Scanner

Development › Security

Performs a static security analysis of your codebase. Detects OWASP Top 10 vulnerabilities, insecure dependencies, hard-coded secrets, SQL injection, XSS vectors, and broken authentication patterns — with fix suggestions for each finding.

3,100+ installs
4.9 rating
Official
MIT License
Security OWASP Vulnerability Code Review Official

What it does

Security Code Scanner reads your files or diff and checks every code path against a comprehensive ruleset covering the OWASP Top 10, CWE common weaknesses, and framework-specific pitfalls (Express.js, Django, Spring Boot, Rails). Each finding is classified by severity (Critical / High / Medium / Low / Informational) and mapped to the relevant CVE or OWASP category.

Beyond finding vulnerabilities, the skill generates a remediation snippet for each issue — not just "sanitize this input" but the actual patched code you can apply. It also scans environment files and config templates for exposed secrets using entropy analysis patterns.

How to install

bash
npx skills add user/security-scanner

No API keys required. The skill runs entirely through your Claude Code environment using the files in your current working directory.

How to use

Paste or reference the code you want scanned:

prompt
Scan this code for security vulnerabilities: [paste code]

A typical report looks like:

output
## Critical Findings

### SQL Injection Risk — OWASP A03:2021
File: src/routes/users.js · Line 42

VULNERABLE:
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;

FIX:
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [req.params.id]);

Severity: CRITICAL · CVE pattern: CWE-89

Configuration

Target specific vulnerability classes or artefacts:

prompt
# Scope to OWASP only
Scan for OWASP Top 10 only

# Check for leaked secrets
Check this .env file for leaked secrets

# API-focused review
Review this API endpoint for auth issues

Tip: Run Security Code Scanner as part of your PR review flow — paste the diff directly and ask Claude to flag any new vulnerabilities introduced by the change. This keeps security review lightweight and focused.

Related skills

Use Security Code Scanner alongside PR Review Assistant to integrate security checks into every pull request review. Pair with API Designer to validate new endpoints before they ship, and Test Generator to produce security-focused test cases for discovered vulnerabilities.