Security Analyzer
Analyze environments for vulnerabilities, fetch current CVE/exploit data, and generate phased remediation plans with TDD validation.
Quick Start
When the user requests a security scan:
- Run environment discovery:
python .claude/skills/security-analyzer/scripts/discover_env.py . - Save output to
inventory.json - Run vulnerability scan:
python .claude/skills/security-analyzer/scripts/fetch_vulns.py inventory.json - Save output to
scan_results.json - Generate reports:
python .claude/skills/security-analyzer/scripts/generate_report.py scan_results.json inventory.json
Workflow
Phase 1: Environment Discovery
Scan working directory for:
- Dependencies:
package.json,requirements.txt,Gemfile,go.mod,Cargo.toml,pom.xml - Containers:
Dockerfile,docker-compose.yml,kubernetes/*.yaml - Cloud IaC:
terraform/*.tf,cloudformation/*.yaml,*.bicep - Secrets:
.env*files (flag exposure risk, never log values)
Run the discovery script:
bash1python .claude/skills/security-analyzer/scripts/discover_env.py /path/to/project > inventory.json
Phase 2: Vulnerability Intelligence
Fetch current threat data using the vulnerability scanner:
bash1python .claude/skills/security-analyzer/scripts/fetch_vulns.py inventory.json > scan_results.json
| Source | Priority | Use For |
|---|---|---|
| CISA KEV | 1 | Actively exploited vulns (use WebSearch) |
| NVD | 2 | CVE details + CVSS scores (use WebSearch) |
| GitHub Advisories | 3 | Package-specific vulns (use WebSearch) |
| OSV.dev | 4 | Open source vulns (API in script) |
For CISA KEV and additional context, supplement with:
WebSearch: "CVE-XXXX-YYYY CISA KEV exploit"
Phase 3: Risk Scoring
The scanner calculates risk scores using:
Risk = (CVSS * 0.3) + (Exploitability * 0.3) + (Criticality * 0.2) + (Exposure * 0.2)
Exploitability: 10=CISA KEV, 7=public exploit, 3=theoretical
Criticality: 10=auth/payment, 5=core business, 2=logging
Exposure: 10=internet-facing, 5=internal, 2=air-gapped
Phase 4: Phased Remediation
Generate reports with fix commands and validation tests:
bash1python .claude/skills/security-analyzer/scripts/generate_report.py scan_results.json inventory.json
Each finding includes:
- Vulnerability details + risk score
- Actual fix code/patch (not just recommendations)
- Pre-fix test (proves vuln exists)
- Remediation unit tests (tests the fix code)
- Post-fix validation (proves vuln resolved)
Phase 5: Reports
Output two reports:
security-report-technical.md— Full details for engineerssecurity-report-executive.md— Summary for leadership
See references/report-templates.md for output structure.
TDD Pattern
For each vulnerability, generate three test types:
python1def test_vuln_exists(): 2 """PASS before fix, FAIL after""" 3 assert is_vulnerable("component") == True 4 5def test_fix_works(): 6 """Unit test for remediation code""" 7 result = apply_fix(vulnerable_config) 8 assert result.is_secure() 9 10def test_vuln_resolved(): 11 """FAIL before fix, PASS after""" 12 assert is_vulnerable("component") == False
Fix Types by Finding
| Finding | Output |
|---|---|
| Dependency CVE | Version bump command + lockfile update |
| Container issue | Dockerfile patch |
| IaC misconfiguration | Terraform/K8s fix |
| Code vulnerability | Source patch + test |
| Secret exposure | Rotation commands + .gitignore update |
Example Interaction
User: "Run a security scan on this project"
Claude:
- Discovers 47 npm dependencies, 3 Dockerfiles, 2 Terraform configs
- Fetches current CVE data from OSV.dev
- Identifies 12 vulnerabilities (2 critical, 4 high, 6 medium)
- Generates phased remediation plan with:
- Actual fix commands (
npm install lodash@4.17.21) - Code patches for IaC misconfigurations
- TDD tests proving each fix works
- Actual fix commands (
- Outputs technical and executive reports
