Skill

security-testing

Security testing: Snyk/Trivy in GitHub Actions for dependency scanning, Semgrep SAST, SQL injection test cases, XSS prevention testing, Gitleaks for secrets scanning, OWASP ZAP for DAST, security headers validation. Use when reviewing security posture, setting up security scanning in CI, writing security test cases.

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin billy-milligan

Tool Access

This skill is limited to using the following tools:

ReadGrepGlob

Preview

- Setting up security scanning in CI/CD pipeline

Supporting Assets

references/dependency-scanning.mdreferences/owasp-zap-patterns.mdreferences/sast-dast-patterns.md

SKILL.md

Similar Skills

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

156.2k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

156.2k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

156.2k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitFeb 23, 2026

Actions

View Source View Plugin View on GitHub View README

security-testing

Core principles

Shift security left — scan in CI, not after breach

Defense in depth — scanner + code review + runtime WAF

Test what you own — focus on OWASP Top 10 for your attack surface

Fail the pipeline on CRITICAL/HIGH — non-negotiable for production

No secrets in code — ever. Not even in private repos.

References available

references/dependency-scanning.md — Snyk + Trivy GitHub Actions, severity thresholds, SARIF upload

references/semgrep-sast.md — Semgrep CI config, p/owasp-top-ten ruleset, p/nodejs + p/typescript

references/secrets-scanning.md — Gitleaks full-history scan, custom .gitleaks.toml allowlist rules

references/injection-test-cases.md — SQL injection payloads, response assertions, no-500 rule

references/xss-test-cases.md — XSS payload list, stored XSS verification, content escaping checks

references/security-headers.md — required headers test, version exposure checks, CSP validation

Security Testing

When to use

Setting up security scanning in CI/CD pipeline
Writing security test cases for OWASP Top 10
Reviewing code for common vulnerabilities
Dependency vulnerability management
Secrets scanning and prevention

Core principles

Shift security left — scan in CI, not after breach
Defense in depth — scanner + code review + runtime WAF
Test what you own — focus on OWASP Top 10 for your attack surface
Fail the pipeline on CRITICAL/HIGH — non-negotiable for production
No secrets in code — ever. Not even in private repos.

References available

references/dependency-scanning.md — Snyk + Trivy GitHub Actions, severity thresholds, SARIF upload
references/semgrep-sast.md — Semgrep CI config, p/owasp-top-ten ruleset, p/nodejs + p/typescript
references/secrets-scanning.md — Gitleaks full-history scan, custom .gitleaks.toml allowlist rules
references/injection-test-cases.md — SQL injection payloads, response assertions, no-500 rule
references/xss-test-cases.md — XSS payload list, stored XSS verification, content escaping checks
references/security-headers.md — required headers test, version exposure checks, CSP validation