Claude Code Agent: Security Auditor — OWASP & Dependency Scan
Claude Code agent that audits your codebase for OWASP top 10 vulnerabilities, dependency issues, and security anti-patterns.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(323%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FFE4CC%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FFD7BA%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20d%3D%22M269%20153c13-1%2027%201%2040%204%2017%205%2034%2011%2050%2020a91%2091%200%200%201%2044%2043h41l47-1a284%20284%200%200%201%20150%2043l22%2016%2022%2024a58%2058%200%200%201%208%2067c-2%204-7%206-11%203s-6-8-9-13l-16-26-10-23-35-1c-4%200-8-1-11-4l-14-10c-1%204-3%209-6%2012-3%204-9%200-13-1-22-4-44-6-67-6-24%200-47%203-71%206l-23%204-8-2-18-5%203%2017-1%2014c0%204-3%208-5%2012l-19%2037c-6%2017-12%2034-16%2052%200%202-1%204-3%205l-12%202c5%209%206%2020%205%2030-1%2012-3%2025-9%2036%207%209%209%2020%2010%2032%202%2019%200%2038-7%2055-2%205-5%2010-10%2012-1%201-4%201-4-1-2-3-2-7-2-11l-3-13-18-1c-8-2-16-7-21-14l-9-10a233%20233%200%200%201-28-159c6-39%2021-76%2044-107a330%20330%200%200%200-87%2053c-6-6-8-14-8-22%201-19%209-36%2021-51-19%2010-35%2022-51%2035-3%202-5%205-9%205l-7-10c-3-11%201-24%207-33%209-16%2025-29%2039-40%204-4%2010-8%2013-13%201-2%200-6-2-7l-9-3c-2-1-2-3%200-5%2012-13%2029-17%2045-22%2030-7%2061-9%2091-3-17-7-34-13-52-16h-11l1-2c3-3%208-4%2012-4Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M528%20244c41%206%2080%2022%20113%2047%2028%2021%2050%2049%2065%2081%2013%2028%2020%2060%2019%2091-1%2015-3%2030-8%2044h-2l1-21c1-30-2-59-13-87-10-30-28-57-50-79-42-40-98-62-156-63a243%20243%200%200%200-196%2094%20207%20207%200%200%200-40%20139l2%2025c8%200%2019%200%2025%207l-3%203-17%201c-12%201-24%205-33%2013a64%2064%200%200%200-17%2039c-5%2032%2012%2065%2039%2083%2016%2010%2036%2015%2055%209%204-2%209-5%2014-3%203%201%204%204%205%207a251%20251%200%200%200%2090%20100c8%207%2018%2013%2028%2018%2018%208%2038%2014%2057%2019l32%208c5%201%209%201%2013%203l-4%201c-25%202-48-3-72-10-12-3-23-7-34-12a306%20306%200%200%201-84-63l2%2028c1%2017%200%2035-6%2052-4%2012-11%2024-19%2034-10%2010-22%2019-34%2026-10%207-21%2014-32%2018l-16%205%209-9%2031-20%2022-17a95%2095%200%200%200%2032-56c2-14%202-28%202-43v-27c-10-14-22-29-27-46-17%208-38%207-55-1-17-7-32-19-43-33-12-17-19-36-21-56s2-40%2015-56c9-10%2022-18%2035-21-4-14-6-29-6-44a234%20234%200%200%201%2083-173%20249%20249%200%200%201%20199-55Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M653%20320c22%2022%2040%2049%2050%2079%2011%2028%2014%2057%2013%2087l-1%2021-5%2015-2%2013%202%2056c0%2021%201%2042-1%2063l-3%2047c-2%2016-7%2031-14%2045-11%2018-26%2033-44%2044-13%208-27%2012-41%2016l-38%2011-17%203c0%201%201%202%203%202%208%205%2017%205%2026%204-3%207-4%2014-2%2022%203%207%2011%2011%2017%2014%2012%206%2024%207%2036%209%207%206%2014%2014%2016%2024%202%208%202%2016-2%2023-5%2010-14%2018-24%2023-13%208-27%2014-42%2018a468%20468%200%200%201-222-1c-17-4-33-9-48-17-12-6-23-13-32-22-5-7-9-14-10-23%2011-4%2022-11%2032-18%2012-7%2024-16%2034-26%208-10%2015-22%2019-34%206-17%207-35%206-52l-2-28%2022%2023c19%2015%2040%2030%2062%2040%2011%205%2022%209%2034%2012%2024%207%2047%2012%2072%2010l4-1c-4-2-8-2-13-3l-32-8c-19-5-39-11-57-19l-29-17c-11-9-23-17-33-27a251%20251%200%200%201-56-74c-1-3-2-6-5-7-5-2-10%201-14%203-19%206-39%201-55-9a88%2088%200%200%201-39-83c1-14%207-28%2017-39%209-8%2021-12%2033-13l17-1%203-3c-6-7-17-7-25-7l-2-25a207%20207%200%200%201%2040-139%20243%20243%200%200%201%20196-94c58%201%20114%2023%20156%2063Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M710%20522c3%200%203%204%204%206%203%2011%204%2023%205%2034l2%2021c1%2022%202%2043%201%2065-1%2021-1%2044-5%2065a136%20136%200%200%201-80%2099c-15%207-31%2011-48%2013v15c1%203%203%204%205%206%2012%206%2023%208%2036%2011%2012%203%2024%205%2036%2011-3%203-7%204-11%204-7%201-15-1-23-1-12-2-24-3-36-9-6-3-14-7-17-14-2-8-1-15%202-22-9%201-18%201-26-4-2%200-3-1-3-2l17-3%2038-11c14-4%2028-8%2041-16%2018-11%2033-26%2044-44%207-14%2012-29%2014-45l3-47c2-21%201-42%201-63l-2-56%202-13ZM252%20549c8%200%2017%201%2023%207%205%204%2010%209%2012%2015%201%203%200%206-2%208l-13%208c-7%206-7%2019%200%2025%206%205%2014%208%2021%2011%202%200%205%201%206%203-1%202-3%203-5%203-10%200-20-3-28-9-5-3-8-8-9-13-2-8-2-17%204-24%204-6%2011-9%2018-12-4-5-7-11-14-13-7-3-15-3-22-5l9-4Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M490%20492c7%203%2013%208%2019%2013%206%206%2012%2013%2013%2022%200%202%201%205-2%206l-4-8c2%209-3%2020-12%2024-6%203-13%204-19%203-9-1-17-6-23-13-4-6-6-14-4-21%201-8%205-15%2011-19a90%2090%200%200%200-55%2014c-5%203-10%207-13%2012-2%203-5%205-9%205-6%200-10-7-8-12l8-11c12-10%2026-18%2041-22%2019-6%2040-2%2057%207ZM681%20484c6%202%2014%204%2017%209%204%206%201%2013-6%2014%202%208%202%2017-3%2024-7%209-23%2011-31%203-5-6-9-14-8-22%201-4%203-7%206-11-12%203-21%2011-28%2020-4%205-6%2010-9%2016l-5%201%201-6a90%2090%200%200%201%2039-43c8-5%2017-7%2027-5Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M533%20358c6%202%209%208%2010%2014%200%208-3%2016-7%2022-3%203-7%204-10%201-4-3-2-10-2-15l-13%2010c-6%204-13%207-20%209-9%204-19%205-30%208l-25%208c-8%203-15%208-22%2012l-25%2017c-5%203-8%207-11%2012-2-4-1-8%201-11a401%20401%200%200%201%2035-29c16-13%2036-21%2055-28l28-11c8-4%2014-11%2021-16%205-2%2010-4%2015-3ZM626%20376l6%207c17%207%2033%207%2049%2016%204%202%207%206%209%2010s1%208-2%2012l-16-6c-12-6-24-7-36-11-7-3-14-4-19-10-4%208-4%2017-8%2026-1%201-1%204-4%203l-1-8%202-11c1-8%204-16%207-23%202-6%208-8%2013-5Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M603%20613v1c-4%208-11%2015-20%2018-3%201-7%201-9-1v-4c7-5%2016-9%2024-12l5-2Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20fill-rule%3D%22evenodd%22%20clip-rule%3D%22evenodd%22%20d%3D%22M661%20646c3%203%206%208%207%2012%203%205%204%2011%203%2017l-4-5-1-2-10-15-1-1v-1c-1-2-2-3-1-5%202-2%204-1%207%200Zm-30%2025a40%2040%200%200%201%2029%2013c3%204%207%207%208%2010%202%204%202%208-2%2010-5%204-13%205-20%205a5207%205207%200%200%201-42%201l-28%203-18%201-10%202-19%201c1-3%202-4%205-5l5-6%204-3c7-7%2017-12%2026-17l2-1c10-5%2021-9%2031-11%2010-3%2019-4%2029-3Zm-6%2029c-1-7%201-14%204-20-11-1-22%200-32%203l-1%2011-1%207%2030-1Zm11-19%201%201%204%201c6%202%2011%207%2015%2012l3%203c-6%202-12%202-19%202h-10c4-6%206-12%206-19Zm-48%2020c-1-5%200-10%201-15a254%20254%200%200%200-43%2021c10-3%2021-4%2031-5l11-1Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M690%20460h30c9%201%2017%201%2026%204%203%201%205%204%204%208-4%205-10%206-16%207v29c-2%2014-3%2029-8%2043-4%2011-15%2019-25%2023-8%203-17%205-25%206-11%201-22-1-33-2-6-1-12-1-17-4-6-4-12-10-15-17-2-6-5-12-6-19-1-10-2-21%200-31-12-2-24-4-36-1l-4%205-1%2011c-1%2012-2%2025-6%2036-3%209-9%2016-16%2022l-15%208c-24%207-48%2012-73%2011-16-1-33-4-47-12-13-7-25-18-32-31l-4-13-1-23v-21c-7-1-13%200-19-4-3-2-4-7-1-10%203-4%209-5%2014-7%2015-6%2029-8%2045-11l19-2c18-2%2036-3%2054-2%2019%200%2037%201%2056%204%208%201%2015%205%2022%209l10%2011%2024%203%2012%201%202-9%207-8c9-5%2019-7%2028-10l47-4Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M707%20480c6%202%2013%208%2013%2015%201%204-3%208-7%208-6-1-9-7-12-11-2-2-4-2-4-5%200-5%206-8%2010-7ZM524%20487c8%201%2015%205%2020%2011%203%204%204%2010%202%2014s-7%206-12%204c-3-2-4-5-6-8-2-2-4-3-7-3l-12-5c-2-2-2-5%200-7%203-5%209-7%2015-6Z%22%20fill%3D%22%23fff%22%2F%3E%3Cpath%20d%3D%22M508%20220a271%20271%200%200%201%2097%2024c14%207%2029%2014%2042%2023%208%205%2016%2011%2022%2018l22%2025c-9%204-18%203-27%202-17-2-34-4-51-3l-8-1-7-5-12-8c0%204-1%207-3%2011-2%202-4%203-7%203-4-1-7-3-11-3a470%20470%200%200%200-155%203h-11l-18-6c1%209%204%2018%203%2026-1%204-1%208-3%2011-7%2014-15%2027-21%2042-7%2017-13%2035-17%2053%200%202-1%204-3%205l-12%202c5%209%206%2020%205%2030-1%2012-3%2026-9%2036%207%209%2010%2021%2010%2033%201%2019%200%2037-7%2055-2%204-5%209-10%2011-1%201-4%201-4-1-2-4-2-9-3-13-2-15-9-29-20-40-8-7-17-14-26-19-6-2-11-4-16-8l-6-8c-12-32-16-67-12-101a285%20285%200%200%201%2037-113c10-16%2022-30%2035-43%2010-9%2020-17%2031-23l14-5%2032-11%2019-2h43c23%200%2044-2%2067%200Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
What it is
This is a security-focused Claude Code agent that audits your codebase for vulnerabilities. It checks for OWASP top 10 issues, scans dependencies for known CVEs, detects leaked secrets, and verifies compliance with security best practices. The agent is part of the Claude Code Templates collection.
It is designed for developers, security engineers, and DevOps teams who want automated security reviews before deployments or on a regular schedule. The agent uses Claude Code's file exploration tools to scan source code, configuration files, and dependency manifests.
How it saves time or tokens
Manual security audits require expertise across multiple domains: injection attacks, authentication flaws, cryptographic misuse, and dependency management. This agent consolidates those checks into a single automated pass.
Running the agent before each deployment catches issues early, when they are cheap to fix. A SQL injection found during code review costs minutes to fix. The same vulnerability found in production costs incident response time, potential data exposure, and customer trust.
How to use
- Install the security auditor agent:
npx claude-code-templates@latest --agent security/security-auditor --yes- The agent activates automatically when Claude Code detects security-related tasks. You can also invoke it directly by asking for a security audit.
- Point it at specific directories or ask for a full codebase scan:
Run a security audit on the src/api/ directory.
Focus on authentication and input validation.Example
Asking the agent to check for common vulnerabilities:
Audit this Express.js API for OWASP top 10 issues.
Check package.json dependencies for known CVEs.
Look for hardcoded secrets in .env files and config/.The agent produces a structured report:
Security Audit Results
Critical
- SQL injection in src/api/users.js:42 - raw user input in query
- Hardcoded API key in config/payment.js:15
High
- express-session using default cookie settings (no secure flag)
- jsonwebtoken@8.5.1 has known CVE-2022-23529
Medium
- CORS configured with wildcard origin
- No rate limiting on /api/auth/login endpoint
Related on TokRepo
- Security AI tools -- more security-focused AI tools
- Coding AI tools -- developer productivity tools
Common pitfalls
- The agent checks source code patterns but does not run dynamic analysis. It cannot detect runtime vulnerabilities like SSRF that depend on network configuration.
- Dependency scanning relies on manifest files (package.json, requirements.txt, go.mod). If dependencies are vendored without manifests, the agent may miss them.
- False positives are possible. The agent flags patterns that look like vulnerabilities but may be intentional (e.g., a test file with a hardcoded token for unit tests). Review findings before acting.
Frequently Asked Questions
The agent checks for all OWASP top 10 categories including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging.
Yes. The agent reads dependency manifests (package.json, requirements.txt, go.mod, Cargo.toml) and checks for packages with known CVEs. It flags the specific vulnerability and suggests the minimum version that includes the fix.
Yes. The agent scans for patterns that match API keys, database credentials, JWT secrets, and other sensitive values in source code and configuration files. It checks both hardcoded values and environment variable misuse.
Run it before each deployment and after adding new dependencies. For high-security applications, schedule it as part of your CI pipeline. The agent is designed for repeated runs, producing consistent reports that can be diffed over time.
It complements them. Snyk and Dependabot focus on dependency vulnerabilities with CVE databases. This agent adds source code analysis for OWASP issues, secret detection, and security anti-patterns that dependency scanners do not cover.
Citations (3)
- Claude Code Templates— Claude Code Templates for specialized agents
- OWASP Top Ten— OWASP Top 10 vulnerability categories
- Anthropic Claude Code Docs— Claude Code tools and agent capabilities
Related on TokRepo
Source & Thanks
Created by Claude Code Templates by davila7. Licensed under MIT. Install:
npx claude-code-templates@latest --agent security/security-auditor --yes
Discussion
Related Assets
Claude-Flow — Multi-Agent Orchestration for Claude Code
Layers swarm and hive-mind multi-agent orchestration on top of Claude Code with 64 specialized agents, SQLite memory, and parallel execution.
ccusage — Real-Time Token Cost Tracker for Claude Code
CLI that reads ~/.claude logs and breaks down Claude Code token spend by day, session, and project — pluggable into your statusline.
SuperClaude — Workflow Framework for Claude Code
Adds 16+ slash commands, 9 cognitive personas, and a smart flag system to Claude Code in one pipx install.