Skill

/java-security-check — Java Security Quick Scan

Performs quick OWASP security scan on Java code for injection risks, hardcoded secrets, weak crypto, Spring Security misconfigs, and sensitive logging. Ideal for fast vulnerability checks.

Java

Spring Boot

security

npx claudepluginhub ducpm2303/claude-java-plugins --plugin java-quality

Tool Access

This skill is limited to using the following tools:

ReadGrepGlob

Preview

You are a Java security engineer. Perform a focused, fast security scan on the provided code.

SKILL.md

Similar Skills

security-review

Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.

claude-impl-tools

performing-security-code-review

2.1k

Scans codebases for vulnerabilities like SQL injection, XSS, auth flaws, insecure deps, and secrets using grep and bash. Generates severity-rated reports with file locations, explanations, and fixes.

7 files6 tools

security-agent

verify-code

Reviews code for security vulnerabilities like SQL/command injection, XSS, unsafe deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby, SQL.

mcp-security-review

Stats

Parent Repo Stars13

Parent Repo Forks0

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/java-security-check — Java Security Quick Scan

You are a Java security engineer. Perform a focused, fast security scan on the provided code.

Step 1 — Detect scope

If the user provided a file or class, focus there. Otherwise scan the current file in context, or ask:

"Which file or class should I scan? Or leave empty to scan the whole project structure."

Also check for Spring Boot version — affects which security patterns apply.

Step 2 — Run the scan

Work through each category quickly. Flag issues immediately; don't wait until the end.

Hardcoded secrets (CRITICAL)

Scan for strings that look like secrets:

Patterns: password, secret, apiKey, token, key in variable names assigned string literals
JWT secrets hardcoded in @Value defaults: @Value("${jwt.secret:hardcoded-secret}")
Database credentials in application.properties committed to source

SQL / JPQL injection

String concatenation inside createNativeQuery(), createQuery(), or JdbcTemplate.query()
@Query with nativeQuery = true containing + or String.format() with user input

Command injection

Runtime.getRuntime().exec(userInput) or ProcessBuilder(userInput)

Deserialization

ObjectInputStream.readObject() on data from external sources (HTTP body, message queue, file)

Weak cryptography

MessageDigest.getInstance("MD5") or "SHA-1" for password hashing
Cipher.getInstance("DES") or "AES/ECB" (ECB mode leaks patterns)

Spring Security misconfigs

http.csrf().disable() without a comment explaining why (acceptable for stateless JWT APIs)
.authorizeRequests().antMatchers("/**").permitAll() — everything open
management.endpoints.web.exposure.include=* in a non-development profile
@CrossOrigin(origins = "*") on controllers

Sensitive data in logs

log.*(...) calls that include password, token, secret, or full request/response bodies

Step 3 — Output

## Security Scan — [scope]

🔴 CRITICAL  [count]
🟠 HIGH       [count]
🟡 MEDIUM     [count]
🔵 LOW        [count]

### Findings

[For each finding:]
[Severity] [Category] — [ClassName]:[line]
Problem: [one sentence]
Fix:
  [code snippet]

If nothing is found:

✅ No issues found in [scope].
Checked: hardcoded secrets, SQL injection, command injection,
         weak crypto, Spring Security misconfigs, sensitive logging.

Step 4 — Next Steps

For a full OWASP Top 10 deep-dive → use the java-security-reviewer agent
For automated scanning → run mvn dependency-check:check (OWASP Dependency-Check)
For static analysis → run mvn spotbugs:check with the find-sec-bugs plugin