Snyk

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Snyk AI

Claude Security is in beta for Enterprise users — is this a real AppSec shift or just AI wrapper + UX?

Anthropic launched Claude Security in public beta on April 30 for Enterprise customers and says Team/Max access is coming soon. They’re framing it less like a traditional pattern-matching scanner and more like a system that reads code, traces flows, explains findings, and suggests patches. I don’t have hands-on access, so I’m not claiming anything about quality. But I’m curious how security people here think about this category: Could LLM-based review meaningfully improve vuln discovery and triage? Or does this mostly sit on top of workflows that Semgrep / CodeQL / Snyk / GHAS already cover? What would it need to do to actually matter in a real AppSec pipeline? Would love grounded takes from people who’ve tried similar tools in production. submitted by /u/Roaring_lion_ [link] [comments]

Built a free Claude Code skill that audits AI-generated code before you push — catches the stuff you forget to check when you're moving fast

Here's a pattern I kept running into: I'm vibe coding, the AI writes 80 lines of working code, I glance at it, it looks fine, I push. Three days later I notice there's no auth check on that endpoint. Or the API key I was testing with is now in git history. Or the loop I let it write hits the database N+1 times because I didn't think to check. The problem isn't that the code doesn't work. It's that when AI writes code at speed, you stop reading carefully — and that's when the real issues sneak through. I built vibe-guard-skills to be the check I keep skipping. It's three Claude Code skills, runs locally, no external API calls, MIT license. The three passes: /vibe-check — asks "will this survive production?" Looks for N+1 queries, missing error handling, operations that'll fall over at scale, edge cases that weren't considered. The stuff that passes code review because it technically works, until it doesn't. /vibe-secure — asks "would I be embarrassed if this shipped?" Hardcoded secrets (yes, it still happens), missing auth checks, injection surfaces, disabled security defaults. This is the Moltbook problem — they shipped hardcoded creds + disabled RLS to production and exposed 1.5M API tokens. A 10-second check catches that. /vibe-explain — asks "do I actually understand what I'm shipping?" Explains blocks you skimmed, flags logic you should understand but probably don't, surfaces assumptions the AI made that you didn't notice. Useful when you've been in flow for two hours and your reading comprehension is gone. Run all three at once with /vibe-guard. Add --quick for a ~10s pass when you're in a hurry. To install: curl -fsSL https://raw.githubusercontent.com/codecoincognition/vibe-guard-skills/main/install.sh | bash Then add one block to your CLAUDE.md (instructions in the repo). There's also an optional pre-push hook if you want it to run automatically. Honest limitations: Pre-push hook is local — if someone else on your team pushes without it, nothing happens It doesn't replace CI security scanning (Semgrep, Snyk, etc.) — it's a local first pass Model quality matters; it won't catch everything The CLAUDE.md pattern works with any AI coding assistant that reads CLAUDE.md, not just Claude Code. So if you're on Cursor or another tool, it should work there too. GitHub: https://github.com/codecoincognition/vibe-guard-skills — free, open source submitted by /u/AdGloomy5943 [link] [comments]

Hitting limits on 5x & Claude said False Positive on a North Korean RAT alerts in my EDS.

Claude said Bitdefenders alert and quarantine was a false positive. Also to add the infected file back to path or reinstall it. It was an active attack chain! I had to ask Claude where it got the false positive information. Claude used to research first and come back with answers. The updates have ruined my confidence in it. https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/ I was using Claude for troubleshooting a network issue, was planning a network change to go from firewalla L3 to Cisco 9300uxm as L3 with firewalla as the edge for wan traffic. submitted by /u/BaTtLaNgL6767 [link] [comments]

5 agent skills I found on the Agensi marketplace that actually changed my workflow

Been using AI coding agents daily for months now and recently discovered agensi.io, which is basically a marketplace for SKILL.md files. Bought a few, downloaded some free ones, and a handful have genuinely stuck in my rotation. Here are the 5 I keep coming back to: code-reviewer catches things I miss on my own PRs. Anti-patterns, style inconsistencies, security red flags. I run it before every push now and it's saved me from embarrassing commits more than once. env-doctor diagnoses broken dev environments. Dependency conflicts, missing env vars, wrong versions. Instead of spending 45 minutes debugging why nothing works after a fresh clone, this thing just tells you. readme-generator actually produces READMEs that don't look AI generated. Pulls context from the codebase and writes something you'd actually want in your repo. Saved me hours across multiple projects. seo-optimizer rewrites content with real keyword targeting and structure. Not the generic "make it more SEO friendly" prompt. Actual on-page optimization with heading hierarchy and meta suggestions. pr-description-writer generates PR descriptions from your diff. Context, motivation, what changed, what to test. My team actually reads my PRs now because they understand what they're looking at before touching the code. All of them use the SKILL.md standard so they work across Claude Code, Cursor, Codex CLI, Copilot, Gemini CLI, whatever you use. Buy once or download free, drop into your skills folder, done. One thing I appreciate is every skill on there goes through an automated security scan and a human review before it goes live. Given that Snyk found 36% of skills on public registries have security flaws, that actually matters. Link to the marketplace in the comments. Curious what skills others are using or if anyone else has tried this. submitted by /u/BadMenFinance [link] [comments]

Yesterday I posted about building a finance app with Claude Code and 200+ comments told me I was going to get sued. Here's what we're actually doing.

My post yesterday blew up (550k+ views, #1 on the sub) and the most common reaction was basically "you're vibe coding a banking app, you're going to get destroyed." Fair. I'd have the same reaction. So let me break down what the stack actually looks like, because I think there's a misconception about what "building with AI" means in practice. First, I'm not touching bank credentials. All bank connectivity runs through Plaid. Same infrastructure behind Venmo, Robinhood, Coinbase, and pretty much every fintech app you already use. I never see, store, or transmit any login credentials. That's Plaid's entire job. Second, the AI writes the code but I still have to understand what it's writing. Especially for security. Here's what we locked down before launch: All Plaid tokens stored server-side in Cloud Functions, never on the client. Firestore rules locked down so users can only read and write their own data. Auth checks on every single Cloud Function endpoint. We caught and patched a Firestore rules gap where an authenticated user could theoretically self-escalate to premium. Prompt injection defenses on the AI chat. Rate limiting on API endpoints with per-user caps and a global daily spend monitor. Full Snyk dependency scan across three projects, 0 critical, 0 high vulnerabilities. Automated Firestore backups running daily. Terms of Service and Privacy Policy reviewed and updated with proper AI disclosure, entity naming, and accurate security claims. Third, the code bloat thing. Yeah, 220k lines is a lot. We already cut 30k lines of dead code and broke apart multiple 2,900+ line monolithic files into smaller components. There's more cleanup coming after launch. But the codebase has been through a full audit and the security posture is solid. The real lesson from yesterday's thread: if you're building anything that touches sensitive data with AI tools, you have to treat security as a first-class problem, not an afterthought. Claude Code will happily write insecure code if you don't specifically ask it not to. The AI doesn't think about attack vectors on its own. That's still 100% on you. Building with AI doesn't mean you get to skip the hard parts. It means you get to the hard parts faster. If anyone wants to help test before launch and give honest feedback, DM me. Looking for people who actually use finance apps and will tell me what's broken, not what's nice. submitted by /u/buildwithmoon [link] [comments]

4 months of Claude Code and honestly the hardest part isn’t coding

I’ve been building a full iOS app with Claude Code for about 5 months now. 220k lines, real users starting to test it. The thing nobody talks about is that the coding is actually the easy part at this point. The hard part is making design decisions. Claude Code will build literally anything you ask for but it can’t tell you if it looks good. I spent 12 hours last night trying to get an AI chat input bar to look right. The code worked every time. It just looked wrong. Over and over. The other hard part is debugging issues that only show up with real users. I tested my app for months on my own bank account and everything worked. First outside tester connects his bank and transactions are missing. Stuff that never happened in my testing. Anyone else hitting this wall where the AI can build anything but the taste and judgment calls are 100% on you? EDIT: Since a lot of comments are asking about security, wanted to clarify. I'm not handling any bank credentials directly. All bank connectivity goes through Plaid, which is the same infrastructure behind Venmo, Robinhood, Coinbase, and most major fintech apps. I never see or store login credentials. We also ran a full Snyk security audit across the codebase, resolved every critical and high severity vulnerability, and all Plaid tokens are stored server-side in Cloud Functions, never on the client device. Firestore rules are locked down so users can only access their own data. Appreciate everyone who raised this, it's the right question to ask. submitted by /u/buildwithmoon [link] [comments]

I’m building a curated Claude Code skills newsletter. Would anyone actually find value in this?

I've been drowning, going through lots of Claude Code skills lately and kept running into the same problem: there are thousands of them out there, most are untested, poorly documented, and some have genuine security issues. (Snyk's ToxicSkills research found 36.82% of publicly available skills contain security flaws, 13.4% are critical.) So I'm building The Skill Shortlist, a bi-weekly newsletter that: - Reviews Claude Code skills against 6 criteria (functional quality, clarity, scope, documentation, maintainability, originality) - Security-audits every skill before it reaches you. If it fails, you never see it. - Gives a clear verdict: accept, revise, or reject. - Ships the reviewed SKILL.md file ready to install. The idea is human curation, not algorithmic. Every skill gets a real review. Before I go further I want to know if this is actually useful to people. A few honest questions: 1. Is finding good, trustworthy skills actually a pain point for you? 2. Would you read a newsletter like this? 3. Free + paid tier. Would you pay for full curation reports and ready-to-install skill files? If this sounds useful, I just opened a waitlist at theskillshortlist.com, but honestly the feedback here matters more to me right now than signups. Be brutal. submitted by /u/camilosanchez [link] [comments]