security-scanning
SAST analysis, dependency vulnerability scanning, OWASP Top 10 compliance, container security scanning, and automated security hardening
View on GitHubTable of content
SAST analysis, dependency vulnerability scanning, OWASP Top 10 compliance, container security scanning, and automated security hardening
Installation
npx claude-plugins install @wshobson/claude-code-workflows/security-scanning
Contents
Folders: agents, commands, skills
Included Skills
This plugin includes 5 skill definitions:
attack-tree-construction
Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.
View skill definition
Attack Tree Construction
Systematic attack path visualization and analysis.
When to Use This Skill
- Visualizing complex attack scenarios
- Identifying defense gaps and priorities
- Communicating risks to stakeholders
- Planning defensive investments
- Penetration test planning
- Security architecture review
Core Concepts
1. Attack Tree Structure
[Root Goal]
|
┌────────────┴────────────┐
│ │
[Sub-goal 1] [Sub-goal 2]
(OR node) (AND node)
│ │
┌─────┴─────┐ ┌─────┴─────┐
│ │ │ │
[Attack] [Attack] [Attack] [Attack]
(leaf) (leaf) (leaf) (leaf)
2. Node Types
| Type | Symbol | Description |
|---|---|---|
| OR | Oval | Any child achieves goal |
| AND | Rectangle | All children required |
| Leaf | Box | Atomic attack step |
3. Attack Attributes
| Attribute | Description | Values |
|---|---|---|
| Cost | Resources needed | $, $$, $$$ |
| Time | Duration to execute | Hours, Days, Weeks |
| Skill | Expertise required | Low, Medium, High |
| Detection | Likelihood of detection |
…(truncated)
sast-configuration
Configure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.
View skill definition
SAST Configuration
Static Application Security Testing (SAST) tool setup, configuration, and custom rule creation for comprehensive security scanning across multiple programming languages.
Overview
This skill provides comprehensive guidance for setting up and configuring SAST tools including Semgrep, SonarQube, and CodeQL. Use this skill when you need to:
- Set up SAST scanning in CI/CD pipelines
- Create custom security rules for your codebase
- Configure quality gates and compliance policies
- Optimize scan performance and reduce false positives
- Integrate multiple SAST tools for defense-in-depth
Core Capabilities
1. Semgrep Configuration
- Custom rule creation with pattern matching
- Language-specific security rules (Python, JavaScript, Go, Java, etc.)
- CI/CD integration (GitHub Actions, GitLab CI, Jenkins)
- False positive tuning and rule optimization
- Organizational policy enforcement
2. SonarQube Setup
- Quality gate configuration
- Security hotspot analysis
- Code coverage and technical debt tracking
- Custom quality profiles for languages
- Enterprise integration with LDAP/SAML
3. CodeQL Analysis
- GitHub Advanced Security integration
- Custom query development
- Vulnerability variant analysis
- Security research workflows
- SARIF result processing
Quick Start
Initial Assessment
- Identify primary programming languages in your codebase
- Determine compliance requirements (PCI-DSS, SOC 2, etc.)
- Choose SAST tool based on
…(truncated)
security-requirement-extraction
Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
View skill definition
Security Requirement Extraction
Transform threat analysis into actionable security requirements.
When to Use This Skill
- Converting threat models to requirements
- Writing security user stories
- Creating security test cases
- Building security acceptance criteria
- Compliance requirement mapping
- Security architecture documentation
Core Concepts
1. Requirement Categories
Business Requirements → Security Requirements → Technical Controls
↓ ↓ ↓
"Protect customer "Encrypt PII at rest" "AES-256 encryption
data" with KMS key rotation"
2. Security Requirement Types
| Type | Focus | Example |
|---|---|---|
| Functional | What system must do | “System must authenticate users” |
| Non-functional | How system must perform | “Authentication must complete in <2s” |
| Constraint | Limitations imposed | “Must use approved crypto libraries” |
3. Requirement Attributes
| Attribute | Description |
|---|---|
| Traceability | Links to threats/compliance |
| Testability | Can be verified |
| Priority | Business importance |
| Risk Level | Impact if not met |
Templates
…(truncated)
stride-analysis-patterns
Apply STRIDE methodology to systematically identify threats. Use when analyzing system security, conducting threat modeling sessions, or creating security documentation.
View skill definition
STRIDE Analysis Patterns
Systematic threat identification using the STRIDE methodology.
When to Use This Skill
- Starting new threat modeling sessions
- Analyzing existing system architecture
- Reviewing security design decisions
- Creating threat documentation
- Training teams on threat identification
- Compliance and audit preparation
Core Concepts
1. STRIDE Categories
S - Spoofing → Authentication threats
T - Tampering → Integrity threats
R - Repudiation → Non-repudiation threats
I - Information → Confidentiality threats
Disclosure
D - Denial of → Availability threats
Service
E - Elevation of → Authorization threats
Privilege
2. Threat Analysis Matrix
| Category | Question | Control Family |
|---|---|---|
| Spoofing | Can attacker pretend to be someone else? | Authentication |
| Tampering | Can attacker modify data in transit/rest? | Integrity |
| Repudiation | Can attacker deny actions? | Logging/Audit |
| Info Disclosure | Can attacker access unauthorized data? | Encryption |
| DoS | Can attacker disrupt availability? | Rate limiting |
| Elevation | Can attacker gain higher privileges? | Authorization |
Templates
Template 1: STRIDE Threat Model Document
# Threat Model:
...(truncated)
</details>
### threat-mitigation-mapping
> Map identified threats to appropriate security controls and mitigations. Use when prioritizing security investments, creating remediation plans, or validating control effectiveness.
<details>
<summary>View skill definition</summary>
# Threat Mitigation Mapping
Connect threats to controls for effective security planning.
## When to Use This Skill
- Prioritizing security investments
- Creating remediation roadmaps
- Validating control coverage
- Designing defense-in-depth
- Security architecture review
- Risk treatment planning
## Core Concepts
### 1. Control Categories
Preventive ────► Stop attacks before they occur │ (Firewall, Input validation) │ Detective ─────► Identify attacks in progress │ (IDS, Log monitoring) │ Corrective ────► Respond and recover from attacks (Incident response, Backup restore)
### 2. Control Layers
| Layer | Examples |
| --------------- | ------------------------------------ |
| **Network** | Firewall, WAF, DDoS protection |
| **Application** | Input validation, authentication |
| **Data** | Encryption, access controls |
| **Endpoint** | EDR, patch management |
| **Process** | Security training, incident response |
### 3. Defense in Depth
┌──────────────────────┐
│ Perimeter │ ← Firewall, WAF
│ ┌──────────────┐ │
│ │ Network │ │ ← Segmentation, IDS
│ │ ┌────────┐ │ │
│ │ │ Host │ │ │ ← EDR, Hardening
│ │ │ ┌────┐ │ │ │
…(truncated)