Skip to content

give-jd/deep-security-check

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

deep-security-check

A defensive, read-only security assessment skill for Claude Code. Point it at a local project; it runs three best-in-class open-source scanners and returns a report with a reproducible reliability grade (0–100, A–F).

deep-security-check demo: scan a project, get a reproducible grade

  • SASTSemgrep (p/default ruleset)
  • SCAosv-scanner (dependency CVEs via OSV.dev)
  • Secretsgitleaks
  • Dynamic-test surface — a static, zero-traffic pass (surface.py) that flags where a dynamic test would look (permissive CORS, missing security headers, insecure cookies, debug/bind-all config). Advisory hints only — they do not change the grade and are unconfirmed until an authorized DAST run checks them.

Static analysis only. It reads the project and never modifies it. It is not a penetration test and never sends network traffic to live or remote targets. Defensive use only — finding weaknesses in code you own or are authorized to inspect. Dynamic testing (DAST) is intentionally out of scope for a publicly installable skill; run it separately against an authorized staging target.

Install

/plugin marketplace add give-jd/deep-security-check    # once the repo is public
/plugin install deep-security-check@give-security

Or, from a local clone, add the directory as a marketplace:

/plugin marketplace add /path/to/security-scan-skill

Then just ask Claude: "how reliable is this project, security-wise?" and it will invoke the skill.

Requirements

At least one scanner on your PATH (more installed → higher confidence):

Tool Install
Semgrep pipx install semgrep
osv-scanner https://github.com/google/osv-scanner/releases
gitleaks https://github.com/gitleaks/gitleaks/releases

Semgrep's p/default ruleset is fetched from the registry on first run (needs network once), then cached.

Use it directly (without Claude)

OUT=$(bash skills/deep-security-check/scripts/scan.sh <project-dir> | grep '^OUT=' | cut -d= -f2)
python3 skills/deep-security-check/scripts/score.py --sarif-dir "$OUT"

The grade

score.py owns the number so it is deterministic, not model opinion. Start at 100, subtract capped per-severity penalties over all findings, then apply ceilings:

severity penalty each cap
critical 25 60
high 8 30
medium 1.5 15
low 0.25 6

Ceilings: any critical → score ≤ 69 · any high → score ≤ 84. Grades: A 90–100 · B 80–89 · C 70–79 · D 60–69 · E 50–59 · F <50.

assessment_confidence reports how much to trust the score itself: high only when all three scanner classes ran; a one-shot static scan is never a substitute for a pentest, and the report says so.

Reproduce the rubric by hand — or run python3 .../score.py --selfcheck.

License

MIT.

About

Defensive, read-only security assessment skill for Claude Code (Semgrep + osv-scanner + gitleaks) with a reproducible reliability grade (0-100, A-F).

Topics

Resources

License

Stars

2 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors