bridgesecurity

BridgeSecurity

Find vulnerabilities. Ship secure.

A Claude Code plugin from BridgeMind that gives your AI agents the instincts of a senior application security engineer.
Stop shipping classic vulnerabilities — start shipping production-secure code.

---

Why BridgeSecurity?

AI coding agents write functional code, but they keep shipping the same classic vulnerabilities — SQL injection, XSS, IDOR, hardcoded secrets, missing auth on Server Actions, public S3 buckets, pull_request_target with checkout-of-fork-code. The bugs that have headlined CVEs for fifteen years.

BridgeSecurity fixes this. It's a set of detection patterns, vulnerability taxonomies, threat-modeling discipline, and a specialized auditor agent that teach your AI teammates to think like a senior security engineer — find the trust boundary, match input to sink, check auth on every state-changing path, treat every secret as already leaked, fail closed.

The Bugs It Catches

• Injection — SQLi, NoSQLi, command, code, template, XSS, LDAP, XPath
• Broken Access Control — IDOR, BOLA, BOPLA, missing auth, mass assignment, Server Action authz gaps, x-middleware-subrequest bypass class
• Cryptographic Failures — MD5/SHA1, Math.random() for tokens, ECB mode, hardcoded keys, JWT alg: none, HS256/RS256 confusion, === for HMAC compare
• SSRF — including private-IP / cloud-metadata / file:// / TOCTOU
• Path Traversal — path.join without prefix-check, send_file with raw input
• Insecure Deserialization — pickle.loads, yaml.load, ObjectInputStream, vm2
• Hardcoded Secrets — AWS, GitHub, Stripe, OpenAI, Anthropic, Slack, JWTs, private keys (25+ patterns)
• Cloud Misconfig — public S3, IAM *:*, 0.0.0.0/0:22, IMDSv1, missing encryption
• Container / k8s — privileged: true, runAsUser: 0, hostNetwork, /var/run/docker.sock mount, image:latest
• CI/CD — pull_request_target + checkout-fork-code, mutable Action tags (CVE-2025-30066 class), shell-injection via PR title
• Auth flaws — JWT in localStorage, no MFA, missing rate limit on login, predictable reset tokens
• Open Redirect — //evil.com bypass class
• Markdown exfil — image URLs constructed from secrets (EchoLeak class)
• LLM-specific — output-to-eval, excessive agency, secrets in system prompt

---

What's Inside

Component	Type	What It Does
bridgesecurity	Skill	Core security discipline — auto-loaded when your agent reads, writes, or reviews code. Five Disciplines, threat-model checklist, detection cheat-sheet.
security-audit	Skill	Slash-command audit. Scans a file/dir/PR/repo for vulnerabilities, returns severity-ranked report with CWE/OWASP mapping.
security-auditor	Agent	Read-only senior security engineer subagent. Cannot write, edit, or delete. Walks every file with the OWASP Top 10 + CWE Top 25 + threat model.

Reference Documentation

The skill ships with eight deep reference docs (~50 pages of practitioner-grade content):

• vulnerability-taxonomies.md — OWASP Top 10 (2021), API Top 10 (2023), Mobile Top 10 (2024), LLM Top 10 (2025), CWE Top 25 (2024), CISA KEV recurring classes, DBIR top vectors
• language-patterns.md — JS/TS, Python, Go, Rust, Java/Spring, Ruby/Rails, PHP — vulnerable + fixed code pairs, per-ORM SQLi reference
• frontend-patterns.md — React, Next.js (Server Actions, middleware, hydration), Vue, Svelte, browser specifics
• infrastructure-patterns.md — AWS, GCP, Azure, Docker, Kubernetes, Terraform, GitHub Actions, GitLab CI
• secrets-patterns.md — regex catalog for 25+ secret types
• case-studies.md — Log4Shell, Spring4Shell, MOVEit, XZ backdoor, Polyfill.io, Snowflake, Ivanti, regreSSHion, Next.js CVE-2025-29927, tj-actions supply chain, recent agent CVEs
• tooling.md — Semgrep, CodeQL, Snyk, Trivy, Gitleaks, OSV, govulncheck, Brakeman, Checkov, kube-bench, MobSF
• threat-modeling.md — the full 10-question discipline

---

Install

As a Claude Code plugin

claude plugin install bridgesecurity@bridgemind-plugins

Or copy the skills manually

# Project-level
mkdir -p .claude/skills .claude/agents
cp -r skills/bridgesecurity .claude/skills/
cp -r skills/security-audit .claude/skills/
cp agents/security-auditor.md .claude/agents/