Which programming languages does this skill support?

It provides specialized patterns for JavaScript (npm) and Python (pip/Bandit), while tools like Semgrep, Gitleaks, and TruffleHog provide broad coverage across most modern languages.

How does it handle false positives in secret detection?

The skill utilizes baseline files (like .secrets.baseline) to document and ignore known false positives, ensuring your security reports remain actionable and relevant.

Can this skill automatically fix security issues?

Yes, it can execute automated remediation commands like 'npm audit fix' and provide Claude with the context needed to manually refactor code to resolve SAST findings.

Does it support CI/CD integration?

Absolutely. It includes specific patterns for GitHub Actions and Bash scripts that allow you to block builds based on vulnerability severity thresholds.

Security Scanning

Name: Security Scanning
Author: yonatangross

byyonatangross

•

安全与测试

Automates vulnerability detection for dependencies, source code, and containers using industry-standard security tools.

关于

This skill empowers Claude to perform comprehensive security audits by integrating essential tools like npm audit, Semgrep, and TruffleHog. It helps developers identify critical vulnerabilities in dependencies, detect hardcoded secrets, and implement static analysis (SAST) within their development workflow. By providing standardized implementation patterns for pre-commit hooks and CI/CD pipelines, it ensures a shift-left security approach, catching risks before they reach production.

主要功能

Best-practice pre-commit hook configurations for proactive security
Automated dependency auditing for JavaScript and Python environments
Static Analysis Security Testing (SAST) using Semgrep and Bandit
Container image vulnerability scanning with Trivy integration
Hardcoded secret and credential detection in source code repositories
29 GitHub stars

使用场景

Identifying and fixing vulnerable npm or pip packages during development
Scanning repositories for exposed API keys, AWS credentials, or private keys
Integrating automated security gates and escalation thresholds into CI/CD pipelines

关于

主要功能

Best-practice pre-commit hook configurations for proactive security
Automated dependency auditing for JavaScript and Python environments
Static Analysis Security Testing (SAST) using Semgrep and Bandit
Container image vulnerability scanning with Trivy integration
Hardcoded secret and credential detection in source code repositories
29 GitHub stars

使用场景

Identifying and fixing vulnerable npm or pip packages during development
Scanning repositories for exposed API keys, AWS credentials, or private keys
Integrating automated security gates and escalation thresholds into CI/CD pipelines