Semgrep

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Semgrep AI

Claude Security is in beta for Enterprise users — is this a real AppSec shift or just AI wrapper + UX?

Anthropic launched Claude Security in public beta on April 30 for Enterprise customers and says Team/Max access is coming soon. They’re framing it less like a traditional pattern-matching scanner and more like a system that reads code, traces flows, explains findings, and suggests patches. I don’t have hands-on access, so I’m not claiming anything about quality. But I’m curious how security people here think about this category: Could LLM-based review meaningfully improve vuln discovery and triage? Or does this mostly sit on top of workflows that Semgrep / CodeQL / Snyk / GHAS already cover? What would it need to do to actually matter in a real AppSec pipeline? Would love grounded takes from people who’ve tried similar tools in production. submitted by /u/Roaring_lion_ [link] [comments]

Scanner for Prompt Injection Vulnerabilities in Code

Hi Folks - was building out something as a hobby project, but seems it might become more than that. The idea was to get Claude Code to help me detect prompt injection vulns in code (the /security-review plugin is simple a regex thingy). We (Claude and I) then went into a rabbit-hole of Semgrep and existing rules and other open source tools. Finally, built my own scanner - mainly a set of enhanced Semgrep rules focused on identifying indirect prompt injection sinks, building a corpus that others can use, and one LLM-based eval component where the code uses LLM-as-judge. Would love for peers to take a look and trash it - or help enhance it. Some queries in my head - Are you all checking your code for prompt injection? If so, what's working and what's not? What would you look for in a tool if you had to use one? Whitney - Prompt Injection Scanner submitted by /u/AnswerPositive6598 [link] [comments]

Two months of coding with Claude code

My background started in sales, moved to product/tech about ten years ago culminating in my role as chief product officer at a large debt relief company. Today, around 7:30 am, after my fourth all nighter in a row I released a product (in stealth no heavy marketing yet) after two months of deep work with over 1,000 commits and a lot of sleepless nights. I used VS code, with ClaudeCode. Mostly opus high effort. Lots of CLI, no MCP - huge win - read about so many issues with MCP and it was never a thing. Built on/with railway, supabase, voyage AI, pinecone, resend, grafana, multi-AI provider with custom fallback (almost used liteLLM, and chose custom days before their incident), cloudflare for dns/R2/zerotrust, sentry (incredible tool - major part of how I shipped as much as I did as quickly as I did), redis upstash, bullMQ, Unsplash, stripe, huskyCI, Semgrep, and probably a few more I am missing. - Is it going to sell? I don’t know. - Is it technically capable and unique? I think so - Am I super proud of myself? Hell yes. - Are there bugs? You tell me, typically squash then in staging environment with help of sentry, but something may have gotten past me certainly! - What does it do? Convert web visitors to leads with custom agents, in under 5 minutes. Roast me, or give me some feedback! www.wengrow.app Moment that stand out: - The velocity in general - Shipping enterprise level SSO (supabase auth) in a few hours - Rapid CRO optimization of onboarding flow. having done this work before leading large engineering and product teams the work I did in 24 hours would have taken a cross functional team of 5 weeks at a minimum. - Cookie consent management. Having previously spent months at prior job trying to do CCM right with a paid tool, I was able to set up a compliant CCM process on www in hours with c15t including audit logs sent to my Supabase DB, and proper handing of California nuances. - so much more but I need to catch up on some sleep submitted by /u/berrism [link] [comments]

Built a free Claude Code skill that audits AI-generated code before you push — catches the stuff you forget to check when you're moving fast

Here's a pattern I kept running into: I'm vibe coding, the AI writes 80 lines of working code, I glance at it, it looks fine, I push. Three days later I notice there's no auth check on that endpoint. Or the API key I was testing with is now in git history. Or the loop I let it write hits the database N+1 times because I didn't think to check. The problem isn't that the code doesn't work. It's that when AI writes code at speed, you stop reading carefully — and that's when the real issues sneak through. I built vibe-guard-skills to be the check I keep skipping. It's three Claude Code skills, runs locally, no external API calls, MIT license. The three passes: /vibe-check — asks "will this survive production?" Looks for N+1 queries, missing error handling, operations that'll fall over at scale, edge cases that weren't considered. The stuff that passes code review because it technically works, until it doesn't. /vibe-secure — asks "would I be embarrassed if this shipped?" Hardcoded secrets (yes, it still happens), missing auth checks, injection surfaces, disabled security defaults. This is the Moltbook problem — they shipped hardcoded creds + disabled RLS to production and exposed 1.5M API tokens. A 10-second check catches that. /vibe-explain — asks "do I actually understand what I'm shipping?" Explains blocks you skimmed, flags logic you should understand but probably don't, surfaces assumptions the AI made that you didn't notice. Useful when you've been in flow for two hours and your reading comprehension is gone. Run all three at once with /vibe-guard. Add --quick for a ~10s pass when you're in a hurry. To install: curl -fsSL https://raw.githubusercontent.com/codecoincognition/vibe-guard-skills/main/install.sh | bash Then add one block to your CLAUDE.md (instructions in the repo). There's also an optional pre-push hook if you want it to run automatically. Honest limitations: Pre-push hook is local — if someone else on your team pushes without it, nothing happens It doesn't replace CI security scanning (Semgrep, Snyk, etc.) — it's a local first pass Model quality matters; it won't catch everything The CLAUDE.md pattern works with any AI coding assistant that reads CLAUDE.md, not just Claude Code. So if you're on Cursor or another tool, it should work there too. GitHub: https://github.com/codecoincognition/vibe-guard-skills — free, open source submitted by /u/AdGloomy5943 [link] [comments]

Yesterday I got ratio'd for saying I made gstack obsolete. Today I actually did it in a day (fwstack) using Flow Weaver and Claude Code.

I'm Ricardo, creator of Flow Weaver (a TypeScript workflow compiler). Yesterday I posted claiming Flow Weaver workflows could replace prompt-based skill packs like gstack. Got ratio'd. Fair enough. So I built fwstack: fwstack, MIT licensed, OS, Claude Code plugin. 5 compiled workflows, or bring your own. https://github.com/synergenius-fw/fwstack Install: /plugin marketplace add synergenius-fw/claude-plugins /plugin install fwstack What you get: /fwstack:review: runs real eslint + tsc, then pauses for Claude to analyze the diff with linter context. Findings extracted as structured JSON, deduplicated, ranked by severity. /fwstack:tdd: RED/GREEN cycle with real test execution. Runs npm test, checks exit codes. The RED gate blocks until your test actually fails. The GREEN gate blocks until it passes. Claude can't skip steps. /fwstack:security: runs npm audit + semgrep, then pauses for OWASP/STRIDE analysis. Drops findings below 8/10 confidence. No hallucinated vulnerabilities. /fwstack:ship: checks you're on a feature branch, runs full test suite. If tests fail, it stops. No override. Then pauses for changelog. /fwstack:plan: reads your codebase structure, pauses for Claude to plan. Validates the output: rejects "TBD", "as needed", "maybe". Every task needs a real file path. What it looks like running /fwstack:tdd: https://reddit.com/link/1sjrou5/video/f5p534fwvtug1/player Every node shows timing. Parallel branches visible. Live progress bar during execution. The plugin renders this, not Claude. These aren't prompts telling Claude what to do. They're compiled pipelines where Claude only gets control at pause points. Everything else is deterministic code running real tools. Built in a day without touching code on Flow Weaver. If this resonates, come shape it. Flow Weaver GitHub | Website | Discord | X/Twitter | fwstack Github Previously TLDR: The post: I think I accidentally made gstack and superpowers obsolete I presented Flow Weaver as a workflow typescript compiler and demonstrated my vision into what an integrated experience would be with Claude Code and its workflows. Workflows look like this The teaser: Demonstrates the interaction of a workflow with Claude Code submitted by /u/Moraispgsi [link] [comments]

I built a security scanner that runs inside Claude Code — 5,000+ rules, one command

I got tired of switching between my editor and separate security tools, so I built Shieldbot — an open-source security scanner that runs directly inside Claude Code as a plugin. You install it with: /plugin marketplace add BalaSriharsha/shieldbot /plugin install shieldbot /shieldbot . It runs 6 scanners in parallel: Semgrep (5,000+ community rules — OWASP Top 10, CWE Top 25, injection, XSS, SSRF) Bandit (Python security) Ruff (Python quality/security) detect-secrets (API keys, tokens, passwords in source code) pip-audit (Python dependency CVEs) npm audit (Node.js CVEs) Findings get deduplicated across scanners (same bug reported by Semgrep and Bandit shows up once, not twice), then Claude synthesizes everything into a prioritized report — risk score, executive summary, specific code fixes, and which findings are likely false positives. The first thing I did was run it on itself. It caught a Jinja2 XSS vulnerability in the HTML reporter that I'd missed. One real finding, zero false positives on secrets. You can also just talk to it naturally — "scan this repo for security issues" or "check my dependencies for CVEs" — and the agent kicks in. It also works as a GitHub Action if you want it in CI: - uses: BalaSriharsha/shieldbot@main Findings show up in GitHub's Security tab via SARIF. Everything runs locally. No code leaves your machine. The MCP server just pipes scanner results to Claude Code over stdio. GitHub: https://github.com/BalaSriharsha/shieldbot MIT licensed. Would appreciate feedback — especially on what scanners or report features you'd want added. submitted by /u/ILoveCrispyNoodles [link] [comments]

I built Shield — an open-source security plugin for Claude Code that found 103 secrets and 36 vulnerabilities in my own project

Shield is a plugin that orchestrates security tools from a single /shield:shield command inside Claude Code. It auto-detects your stack, runs whichever tools are installed (Semgrep SAST, gitleaks secrets scanning, npm/pip/composer audit, Shannon pentester), consolidates everything into a unified report with a 0-100 risk score, and proposes code fixes with diffs. I tested it on my own Next.js monorepo: 36 dependency vulnerabilities (1 CRITICAL, 26 HIGH) 103 secrets in git history (AWS keys, Stripe tokens, OpenAI API keys) 77 SAST findings (XSS, hardcoded credentials, missing SRI) A .env with production credentials tracked in git that I didn't know about After fixing 3 direct dependencies and removing the exposed .env, the project went from 36 vulns to 0. Features: 6 modes: full, quick, fix, verify, score, outdated 34 custom Semgrep rules (JS/TS, Python, PHP) Dependency freshness check with SECURITY/MAJOR/MINOR/PATCH classification OWASP Top 10 / CWE / SOC 2 / PCI-DSS / HIPAA compliance mapping SARIF output for GitHub Security tab Security score badge for your README Graceful degradation — runs whatever you have installed 189 unit tests, MIT licensed Install: git clone https://github.com/alissonlinneker/shield-claude-skill.git cd shield-claude-skill && ./install.sh # Inside Claude Code: /plugin marketplace add /path/to/shield-claude-skill /plugin install shield@shield-security GitHub: https://github.com/alissonlinneker/shield-claude-skill Feedback and contributions welcome. Roadmap is organized as GitHub issues submitted by /u/alissonlinneker [link] [comments]