TL:DR; new plugin for Ghost Security’s open-source appsec skills in CC Hey all, wanted to share with you all our recently open-sourced Claude code plugin for securing your codebases without drowning in AppSec hell. It’s a very particular set of skills that leverage some of our purpose built open source cli tools to scan your repo for code security flaws, secrets, and vulnerable package dependencies. You can then validate those flaws on a live system and/or generate a report. If you’ve ever run any appsec tools before, you know that they’re trying to show you literally everything that maybe-possibly-could-potentially-if-mercury-is-in-retrograde-be-exploitable. They want to avoid false negatives and because of that, you get overwhelmed with noise and you miss out on the few that are a real risk. It’s painful for what you get. The goal with these skills is to have all the AI-native SAST capabilities (code flaws, secrets, deps) within easy reach but with the point of only showing you what’s exploitable or must-fix. Then, if anything needs fixing, Claude has all the context to guide you through it. Ideally, with the least amount of thinking about it. After all, security that doesn’t flow with the vibes is going to get bypassed. How it differs from Claude’s security commands: Dedicated skills for dedicated tasks (not just code security, but secrets, dependencies, live validation, reports, etc) Certain skills use open-source, purpose built cli tools to be precise about detection and leave the triage to Claude Cached repo context is used by all the skills to better inform them of structure, sensitivity, and purpose Opinionated triage baked in to surface only exploitable items (is code reachable, is secret used in production context, are dependencies actually used/reachable/exploitable) Wider coverage and precise criteria for specific types of code security flaws (this is how you keep Claude focused and not get lost in large codebases) Nicely formatted outputs and reports - “Look boss, all good” You can customize anything about how it works so you better control token usage It’s a composable set of skills that make an actual workflow Use when: Locally before you ship a major refactor/feature When you want to understand the risky parts of an existing app When you want to weave in AppSec capabilities into any workflow Links: Docs site with installation and videos/demos: https://ghostsecurity.ai/ GitHub Repo: https://github.com/ghostsecurity/skills Disclosure: I’m an engineer at Ghost Security, and this plugin is being released as free/open-source without any signup or payment or login to our commercial offerings. Wild, I know. This is our initial release, and so we’d love to hear your feedback. Thanks submitted by /u/2_advil_please
Originally posted by u/2_advil_please on r/ClaudeCode
You must log in or # to comment.