How does it calculate risk scores?

It uses a proprietary formula combining CVSS scores, real-world exploitability (via CISA KEV), system criticality, and network exposure levels.

What vulnerability databases does it use for live data?

It fetches current threat intelligence from OSV.dev, the National Vulnerability Database (NVD), GitHub Advisories, and the CISA Known Exploited Vulnerabilities (KEV) catalog.

Does it automatically apply fixes to my code?

It provides specific remediation code, patches, and CLI commands along with unit tests to validate the fix, allowing you to review and verify the resolution before application.

Can it detect leaked API keys?

Yes, it scans for secret exposure in .env files and configuration scripts, flagging risks while ensuring sensitive values are never logged or stored in the inventory.

Which package managers does the Security Analyzer support?

The skill scans dependencies for npm (JavaScript), pip (Python), gem (Ruby), go (Golang), cargo (Rust), and Maven (Java/pom.xml).

Security Analyzer

Name: Security Analyzer
Author: Cornjebus

byCornjebus

Seguridad y Pruebas

Performs comprehensive security audits across codebases, dependencies, and infrastructure to identify vulnerabilities and provide automated remediation plans.

Acerca de

The Security Analyzer skill empowers Claude to perform deep security assessments of modern software environments by scanning dependencies (npm, pip, go, etc.), Docker containers, and Cloud Infrastructure as Code (Terraform, CloudFormation). It integrates live vulnerability intelligence from OSV.dev and CISA KEV to calculate real-world risk scores and generates actionable, phased remediation reports. Uniquely, it employs a Test-Driven Development (TDD) approach, providing pre-fix tests to prove vulnerabilities and post-fix validation tests to ensure patches are effective, making it an essential tool for maintaining a robust security posture and meeting compliance requirements.

Características Principales

Dual-report generation for both technical engineering teams and executive leadership
Multi-ecosystem dependency scanning for npm, pip, gem, go, cargo, and Maven
0 GitHub stars
TDD-based remediation with automated validation tests for every finding
Live CVE fetching and exploitability risk scoring using CISA KEV and NVD data
Infrastructure as Code (IaC) and container configuration auditing for Terraform and Docker

Casos de Uso

Identifying and rotating exposed secrets or sensitive keys within environment files
Auditing a codebase for publicly known vulnerabilities before a major production release
Hardening cloud infrastructure and container images based on OWASP and industry best practices

Acerca de

Características Principales

Dual-report generation for both technical engineering teams and executive leadership
Multi-ecosystem dependency scanning for npm, pip, gem, go, cargo, and Maven
0 GitHub stars
TDD-based remediation with automated validation tests for every finding
Live CVE fetching and exploitability risk scoring using CISA KEV and NVD data
Infrastructure as Code (IaC) and container configuration auditing for Terraform and Docker

Casos de Uso

Identifying and rotating exposed secrets or sensitive keys within environment files
Auditing a codebase for publicly known vulnerabilities before a major production release
Hardening cloud infrastructure and container images based on OWASP and industry best practices