A defensive, read-only security assessment skill for Claude Code. Point it at a local project; it runs three best-in-class open-source scanners and returns a report with a reproducible reliability grade (0–100, A–F).
- SAST — Semgrep (
p/defaultruleset) - SCA — osv-scanner (dependency CVEs via OSV.dev)
- Secrets — gitleaks
- Dynamic-test surface — a static, zero-traffic pass (
surface.py) that flags where a dynamic test would look (permissive CORS, missing security headers, insecure cookies, debug/bind-all config). Advisory hints only — they do not change the grade and are unconfirmed until an authorized DAST run checks them.
Static analysis only. It reads the project and never modifies it. It is not a penetration test and never sends network traffic to live or remote targets. Defensive use only — finding weaknesses in code you own or are authorized to inspect. Dynamic testing (DAST) is intentionally out of scope for a publicly installable skill; run it separately against an authorized staging target.
/plugin marketplace add give-jd/deep-security-check # once the repo is public
/plugin install deep-security-check@give-security
Or, from a local clone, add the directory as a marketplace:
/plugin marketplace add /path/to/security-scan-skill
Then just ask Claude: "how reliable is this project, security-wise?" and it will invoke the skill.
At least one scanner on your PATH (more installed → higher confidence):
| Tool | Install |
|---|---|
| Semgrep | pipx install semgrep |
| osv-scanner | https://github.com/google/osv-scanner/releases |
| gitleaks | https://github.com/gitleaks/gitleaks/releases |
Semgrep's p/default ruleset is fetched from the registry on first run (needs
network once), then cached.
OUT=$(bash skills/deep-security-check/scripts/scan.sh <project-dir> | grep '^OUT=' | cut -d= -f2)
python3 skills/deep-security-check/scripts/score.py --sarif-dir "$OUT"score.py owns the number so it is deterministic, not model opinion. Start at 100,
subtract capped per-severity penalties over all findings, then apply ceilings:
| severity | penalty each | cap |
|---|---|---|
| critical | 25 | 60 |
| high | 8 | 30 |
| medium | 1.5 | 15 |
| low | 0.25 | 6 |
Ceilings: any critical → score ≤ 69 · any high → score ≤ 84. Grades: A 90–100 · B 80–89 · C 70–79 · D 60–69 · E 50–59 · F <50.
assessment_confidence reports how much to trust the score itself: high only when
all three scanner classes ran; a one-shot static scan is never a substitute for a
pentest, and the report says so.
Reproduce the rubric by hand — or run python3 .../score.py --selfcheck.
MIT.
