Audit codebases, PRs, staged changes, and dependencies for OWASP Top 10, CWE vulnerabilities, secrets, and CVEs; scan containers and supply chains; model threats with STRIDE/DREAD; implement secure auth patterns, crypto, zero-trust, and DevSecOps workflows.
npx claudepluginhub melodic-software/claude-code-plugins --plugin securityPROACTIVELY use when reviewing dependencies, before releases, or during security audits. Checks dependencies for known CVEs, outdated packages, and supply chain risks. Analyzes package manifests and provides remediation guidance.
PROACTIVELY use before commits, during code reviews, or for security audits. Scans codebase for hardcoded secrets, API keys, credentials, tokens, and sensitive data patterns. Fast pattern-matching agent for detecting exposed secrets.
PROACTIVELY use for security-focused code review. Analyzes code for OWASP Top 10 vulnerabilities, CWE weaknesses, insecure patterns, authentication/authorization flaws, injection vulnerabilities, and security anti-patterns. Use when reviewing code changes, conducting security assessments, or before releases.
PROACTIVELY use when designing new features, reviewing architecture, or conducting security design reviews. Applies STRIDE methodology, identifies attack vectors, builds attack trees, and recommends security controls. Use for architectural threat analysis and security design documentation.
AI governance and compliance guidance covering EU AI Act risk classification, NIST AI RMF, responsible AI principles, AI ethics review, and regulatory compliance for AI systems.
Comprehensive API security guidance covering authentication methods, rate limiting, input validation, CORS, security headers, and protection against OWASP API Top 10 vulnerabilities. Use when designing API authentication, implementing rate limiting, configuring CORS, setting security headers, or reviewing API security.
Run security audit on code for OWASP Top 10, CWE vulnerabilities, and security anti-patterns
Comprehensive authentication implementation guidance including JWT best practices, OAuth 2.0/OIDC flows, Passkeys/FIDO2/WebAuthn, MFA patterns, and secure session management. Use when implementing login systems, token-based auth, SSO, passwordless authentication, or reviewing authentication security.
Comprehensive authorization guidance covering RBAC, ABAC, ACL, ReBAC, and policy-as-code patterns. Use when designing permission systems, implementing access control, or choosing authorization strategies.
Check dependencies for known CVEs and security vulnerabilities
Container and Kubernetes security patterns including Docker hardening, image scanning, pod security standards, network policies, RBAC, secrets management, and runtime protection. Use when securing containerized applications, building secure images, or configuring Kubernetes security controls.
Comprehensive cryptography guidance covering encryption algorithms, password hashing, TLS configuration, key management, and post-quantum considerations. Use when implementing encryption, choosing hashing algorithms, configuring TLS/SSL, managing cryptographic keys, or reviewing cryptographic implementations.
DevSecOps methodology guidance covering shift-left security, SAST/DAST/IAST integration, security gates in CI/CD pipelines, vulnerability management workflows, and security champions programs.
Comprehensive security review combining code audit, secrets scan, and dependency check
Scan codebase for hardcoded secrets, API keys, credentials, and sensitive data
Comprehensive guidance for secure secrets management including storage solutions (Vault, AWS Secrets Manager, Azure Key Vault), environment variables, secret rotation, scanning tools, and CI/CD pipeline security. Use when implementing secrets storage, configuring secret rotation, preventing secret leaks, or reviewing credentials handling.
Provides guidance on secure coding practices including OWASP Top 10 2025, CWE Top 25, input validation, output encoding, and language-specific security patterns. Use when reviewing code for security vulnerabilities, implementing security controls, or learning secure development practices.
Software supply chain security guidance covering SBOM generation, SLSA framework, dependency scanning, SCA tools, and protection against supply chain attacks like dependency confusion and typosquatting.
Threat modeling methodologies (STRIDE, DREAD), attack trees, threat modeling as code, and integration with SDLC for proactive security design
Vulnerability lifecycle management including CVE tracking, CVSS scoring, risk prioritization, remediation workflows, and coordinated disclosure practices
Zero Trust architecture principles including ZTNA, micro-segmentation, identity-first security, continuous verification, and BeyondCorp patterns. Use when designing network security, implementing identity-based access, or building cloud-native applications with zero trust principles.
Uses power tools
Uses Bash, Write, or Edit tools
Share bugs, ideas, or general feedback.
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge.
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge.
Sign in to claimAudit and harden your software supply chain - packages, containers, GitHub Actions, IaC, AI/ML models, and IDE extensions. Action commands fix issues directly; walkthrough commands guide you through advanced setup.
Editorial "Security Engineer" bundle for Claude Code from Antigravity Awesome Skills.
Security best practices advisor with vulnerability detection and fixes
Implements automated security scanning for dependencies, code, and containers using tools like Trivy, Snyk, and npm audit. Use when setting up CI/CD security gates, conducting pre-deployment audits, or meeting compliance requirements.
Professional security tools for Claude Code: vulnerability scanning, compliance, cryptography audit, container & API security
AI-powered cybersecurity code review with 8 specialist agents, OWASP Top 10:2021, CWE Top 25:2024, MITRE ATT&CK v15, and framework-aware false-positive suppression
Plugins for Claude Code: documentation management, code quality, and ecosystem support.
fnm (Fast Node Manager) is the recommended Node.js version manager for this project. It:
Install fnm:
# Windows (PowerShell as Admin)
winget install Schniz.fnm
# macOS/Linux
curl -fsSL https://fnm.vercel.app/install | bash
Configure for Git Bash (add to ~/.bashrc):
eval "$(fnm env --use-on-cd --shell bash)"
Or source the setup script which includes fnm initialization:
source "/path/to/claude-code-plugins/setup/bashrc-claude.sh"
Install Node:
fnm install 24
fnm default 24
npm install
npm run lint:md # Check for errors
npm run lint:md:fix # Auto-fix errors
Markdown linting runs automatically on PRs via GitHub Actions. The same rules apply locally and in CI.
/plugin install claude-ecosystem@claude-code-plugins
/plugin install code-quality@claude-code-plugins
/plugin install google-ecosystem@claude-code-plugins
This repo expects Codex CLI configuration to live in user scope under ~/.codex.
See .codex/README.md for the canonical locations.
| Plugin | Purpose |
|---|---|
| atlassian | Atlassian MCP server: Jira, Confluence, Compass integration |
| browser-automation | Browser automation MCP servers: Chrome DevTools, Playwright |
| business-analysis | BABOK techniques: capability mapping, stakeholder analysis, value streams, journey mapping |
| ci-cd | CI/CD pipelines: GitHub Actions, deployment automation, release management |
| claude-code-observability | Event logging, metrics, session diagnostics |
| claude-ecosystem | Claude Code docs, meta-skills, hooks, observability, auditors |
| code-quality | Code review, markdown linting, debugging, CI/CD templates |
| compliance-planning | Regulatory compliance: GDPR, HIPAA, PCI-DSS, AI governance, ISO 27001 |
| content-management-system | Headless CMS architecture: content modeling, taxonomies, media, theming |
| cursor-ecosystem | Cursor IDE docs, CLI, agent, keyword-based search |
| documentation-standards | Technical docs: arc42, C4 model, ADRs, RFC process, docs-as-code |
| dotnet | .NET 10+ automation: build, clean, SDK/tool install, version upgrades, Aspire MCP |
| duende-ecosystem | Duende IdentityServer, BFF, IdentityModel docs |
| enterprise-architecture | TOGAF, Zachman, ADRs, cloud alignment |
| event-modeling | Event-driven design: Event Modeling, Event Storming, CQRS, sagas |
| figma | Figma MCP server: design context, code generation, design tokens |
| formal-specification | Formal methods: UML/SysML, TLA+, OpenAPI/AsyncAPI, state machines |
| git | Git config, GPG signing, hooks, GitHub issues, history exploration |
| google-ecosystem | Gemini CLI docs, Claude-to-Gemini integration, configuration management |
| melodic-software | Developer onboarding, environment setup, commit workflows |
| microsoft | Microsoft MCP servers: Microsoft Learn, Azure, NuGet, Azure DevOps |
| milan-jovanovic | Milan Jovanovic .NET patterns: Clean Architecture, DDD, CQRS, EF Core |
| openai-ecosystem | OpenAI Codex CLI docs |
| requirements-elicitation | Requirements gathering: LLMREI interviews, gap analysis, prioritization |
| research | Research workflows: MCP integration, multi-source synthesis, structured output |
| response-quality | Response quality standards, source citations |
| security | Security: OWASP, authentication, cryptography, DevSecOps, threat modeling, 12 skills |
| soft-skills | Career progression, interviews, communication, professional visibility |