What it does
Security Code Scanner reads your files or diff and checks every code path against a comprehensive ruleset covering the OWASP Top 10, CWE common weaknesses, and framework-specific pitfalls (Express.js, Django, Spring Boot, Rails). Each finding is classified by severity (Critical / High / Medium / Low / Informational) and mapped to the relevant CVE or OWASP category.
Beyond finding vulnerabilities, the skill generates a remediation snippet for each issue — not just "sanitize this input" but the actual patched code you can apply. It also scans environment files and config templates for exposed secrets using entropy analysis patterns.
How to install
npx skills add user/security-scanner
No API keys required. The skill runs entirely through your Claude Code environment using the files in your current working directory.
How to use
Paste or reference the code you want scanned:
Scan this code for security vulnerabilities: [paste code]
A typical report looks like:
## Critical Findings ### SQL Injection Risk — OWASP A03:2021 File: src/routes/users.js · Line 42 VULNERABLE: const query = `SELECT * FROM users WHERE id = ${req.params.id}`; FIX: const query = 'SELECT * FROM users WHERE id = ?'; db.query(query, [req.params.id]); Severity: CRITICAL · CVE pattern: CWE-89
Configuration
Target specific vulnerability classes or artefacts:
# Scope to OWASP only Scan for OWASP Top 10 only # Check for leaked secrets Check this .env file for leaked secrets # API-focused review Review this API endpoint for auth issues
Tip: Run Security Code Scanner as part of your PR review flow — paste the diff directly and ask Claude to flag any new vulnerabilities introduced by the change. This keeps security review lightweight and focused.
Related skills
Use Security Code Scanner alongside PR Review Assistant to integrate security checks into every pull request review. Pair with API Designer to validate new endpoints before they ship, and Test Generator to produce security-focused test cases for discovered vulnerabilities.