By trailofbits
Run CodeQL and Semgrep to scan multi-language codebases (Python, JavaScript/TS, Go, Java, C#, Ruby, Rust) for security vulnerabilities via taint tracking and pattern matching. Parse, deduplicate, and aggregate SARIF outputs from scans, then integrate findings into CI/CD pipelines using GitHub Actions or bash scripts.
npx claudepluginhub trailofbits/skills --plugin static-analysisScans a codebase for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking analysis. Triggers on "run codeql", "codeql scan", "codeql analysis", "build codeql database", or "find vulnerabilities with codeql". Supports "run all" (security-and-quality + security-experimental suites) and "important only" (high-precision security findings) scan modes. Also handles creating data extension models and processing CodeQL SARIF output.
Parses and processes SARIF files from static analysis tools like CodeQL, Semgrep, or other scanners. Triggers on "parse sarif", "read scan results", "aggregate findings", "deduplicate alerts", or "process sarif output". Handles filtering, deduplication, format conversion, and CI/CD integration of SARIF data. Does NOT run scans — use the Semgrep or CodeQL skills for that.
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
Uses power tools
Uses Bash, Write, or Edit tools
Share bugs, ideas, or general feedback.
AI-powered whitebox penetration testing plugin for Claude Code. 9 languages, 27 skills, 8 autonomous agents. STRIDE threat modeling, hotspot-aware findings, SARIF output, and polyglot monorepo support.
Open-source cybersecurity analysis agent. Scans any local project for vulnerabilities: code security (SAST), dependency CVEs (SCA), secret leaks, authentication/authorization flaws, cryptographic weaknesses, misconfigurations, supply chain risks, and CI/CD security. Covers all OWASP 2025 Top 10 and CWE Top 25 categories. Generates prioritized reports with remediation guidance. Invoke with /cyber-neo [path].
Automated security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues
The most comprehensive Claude Code plugin — 48 agents, 182 skills, 68 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning
Binary reverse engineering, malware analysis, firmware security, and software protection research for authorized security research, CTF competitions, and defensive security