Installation

Open Claude Code and run this command:

/plugin install security-test-scanner@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

What It Does

Automated security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, authentication issues, and authorization flaws.

Features

OWASP Top 10 testing - Complete coverage of critical web vulnerabilities
Injection testing - SQL, NoSQL, command, LDAP, template injection
XSS detection - Reflected, stored, and DOM-based XSS
Authentication testing - Weak passwords, session management, JWT flaws
Authorization testing - Privilege escalation, IDOR, access control
Security misconfiguration - Default credentials, verbose errors, headers
API security - Rate limiting, CORS, input validation
Comprehensive reporting - Severity ratings, PoC, remediation steps

Skills (1)

performing-security-testing SKILL.md View full skill →

Test automate security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues.

ReadWriteEditGrepGlobBash(test:security-*)

Security Test Scanner

Overview

Automate security vulnerability detection covering OWASP Top 10 categories including SQL injection, XSS, CSRF, broken authentication, and sensitive data exposure. Combines static analysis (source code scanning with Semgrep, Bandit, ESLint security plugins) with dynamic testing patterns (input fuzzing, header validation, authentication bypass checks).

Prerequisites

Static analysis tools installed (Semgrep, ESLint with eslint-plugin-security, Bandit for Python, or SpotBugs for Java)
Application running in a test environment (never scan production without explicit authorization)
Written authorization to perform security testing on the target system
npm audit, pip-audit, or trivy for dependency vulnerability scanning
OWASP ZAP or Burp Suite for dynamic application security testing (optional)

Instructions

Run dependency vulnerability scanning to identify known CVEs:

Execute npm audit --json or pip-audit --format json or trivy fs ..
Parse results and flag critical/high severity vulnerabilities.
Check if vulnerable dependencies have available patches.

Perform static application security testing (SAST) on source code:

Run Semgrep with OWASP rulesets: semgrep --config=p/owasp-top-ten.
Execute language-specific scanners (Bandit for Python, ESLint security for JS).
Scan for hardcoded secrets using gitleaks or trufflehog.

Analyze code for injection vulnerabilities:

Search for string concatenation in SQL queries (use Grep for patterns like "SELECT.*" +).
Identify unsanitized user input flowing into innerHTML, eval(), or exec().
Check for command injection via child_process.exec() or os.system() with user input.

Validate authentication and authorization:

Verify password hashing uses bcrypt, scrypt, or Argon2 (not MD5/SHA1).
Check JWT token validation includes expiration, issuer, and audience claims.
Ensure authorization checks exist on every protected endpoint.

Test for common web vulnerabilities:

CSRF: Verify anti-CSRF tokens on state-changing endpoints.
CORS: Check Access-Control-Allow-Origin is not set to * on authenticated endpoints.
Security headers: Validate presence of Content-Security-Policy, X-Frame-Options, Strict-Transport-Security.

Generate a prioritized findings report with:

CVSS score for each vulnerability.
Affected file, line n

How It Works

The security scanner agent activates when discussing security testing:


Test the API for SQL injection vulnerabilities
Generate security tests for the authentication system
Check for OWASP Top 10 vulnerabilities in the application
Scan for XSS vulnerabilities in the comment system

security-test-scanner

Installation

What It Does

Features

Skills (1)

Security Test Scanner

Overview

Prerequisites

Instructions

How It Works

Ready to use security-test-scanner?

Related Plugins

security-test-scanner

Installation

What It Does

Features

Skills (1)

Security Test Scanner

Overview

Prerequisites

Instructions

How It Works

Ready to use security-test-scanner?

Related Plugins

accessibility-test-scanner

api-fuzzer

api-test-automation

browser-compatibility-tester

chaos-engineering-toolkit

contract-test-validator