Analyze code changes for security vulnerabilities using LLM reasoning and threat model patterns. Use for PR reviews, pre-commit checks, or branch comparisons. Triggers on /flux:security-scan.
From fluxnpx claudepluginhub nairon-ai/flux --plugin fluxThis skill uses the workspace's default tool permissions.
Executes pre-written implementation plans: critically reviews, follows bite-sized steps exactly, runs verifications, tracks progress with checkpoints, uses git worktrees, stops on blockers.
Guides idea refinement into designs: explores context, asks questions one-by-one, proposes approaches, presents sections for approval, writes/review specs before coding.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Analyze code changes (commits, PRs, diffs) using LLM-powered reasoning to detect security vulnerabilities. This skill reads code directly and applies patterns from the repository's threat model to identify issues across all STRIDE categories.
Adapted from Factory AI security-engineer plugin.
On entry, set the session phase:
PLUGIN_ROOT="${DROID_PLUGIN_ROOT:-${CLAUDE_PLUGIN_ROOT:-$(git rev-parse --show-toplevel 2>/dev/null || pwd)}}"
[ ! -d "$PLUGIN_ROOT/scripts" ] && PLUGIN_ROOT=$(ls -td ~/.claude/plugins/cache/nairon-flux/flux/*/ 2>/dev/null | head -1)
FLUXCTL="${PLUGIN_ROOT}/scripts/fluxctl"
$FLUXCTL session-phase set security_scan
On completion, reset:
$FLUXCTL session-phase set idle
This skill requires:
.flux/threat-model.md must exist.flux/security-config.json for severity thresholdsIMPORTANT: If these files don't exist, you MUST generate them first using the flux-threat-model skill before proceeding with the security scan.
The skill determines what to scan from the user's request:
| Scan Type | How to Specify | Example |
|---|---|---|
| PR | "Scan PR #123" | Scan PR #456 for security vulnerabilities |
| Commit range | "Scan commits X..Y" | Scan commits abc123..def456 |
| Single commit | "Scan commit X" | Scan commit abc123 |
| Staged changes | "Scan staged changes" | Scan my staged changes for security issues |
| Uncommitted | "Scan uncommitted changes" | Scan working directory changes |
| Branch comparison | "Scan from X to Y" | Scan changes from main to feature-branch |
| Last N commits | "Scan last N commits" | Scan the last 3 commits |
If no scope is specified, defaults to scanning staged changes.
Follow these steps in order:
Try to read these files:
.flux/threat-model.md.flux/security-config.jsonIf either file is missing or cannot be read:
flux-threat-model skill to analyze the repository and create both filesBased on the user's request, get the list of changed files and their diffs using git:
gh pr diffgit diff or git showgit diff --cachedRead the full content of each changed file for context.
Read .flux/threat-model.md and .flux/security-config.json to understand:
For each changed file, systematically check for STRIDE threats:
eval(), exec()For each potential vulnerability:
Create .flux/security/security-findings.json with findings. Present summary to user with:
Common CWE mappings for findings:
| Vulnerability Type | CWE |
|---|---|
| SQL Injection | CWE-89 |
| Command Injection | CWE-78 |
| XSS (Reflected/Stored) | CWE-79 |
| Path Traversal | CWE-22 |
| IDOR | CWE-639 |
| Missing Authentication | CWE-306 |
| Missing Authorization | CWE-862 |
| Hardcoded Credentials | CWE-798 |
| Sensitive Data Exposure | CWE-200 |
| Mass Assignment | CWE-915 |