-
Notifications
You must be signed in to change notification settings - Fork 0
Home
RORO edited this page Jul 2, 2026
·
2 revisions
A vulnerability harness for Claude Code. It is a set of security skills plus a Dockerized static-analysis backend that turn the agent into a security auditor.
-
security-auditskill runs a fleet of parallel sub-agents through a six-phase pipeline (recon, hunting, validation, reporting, structured output, independent verification) to find exploitable vulnerabilities with real impact. It is a from-scratch rebuild of Cloudflare's Build your own vulnerability harness and security-audit-skill, mapped onto Claude Code's own primitives. -
joernskill drives Joern and its Code Property Graph for structural and data-flow queries (CPGQL): taint tracking, source-to-sink reachability, and the queries.joern.io patterns. -
joern-gatewayis a standalone Joern server plus a Python WebSocket gateway, running in Docker, that thejoernskill talks to through thejoernctlCLI.

-
Recon: parallel
Exploreagents map architecture, trust boundaries, and input surfaces. -
Hunt: parallel
general-purposeagents attack by class and can spawn their own sub-agents. - Validate: separate agents try to disprove each finding. The validator is never the finder.
-
Report: writes
REPORT.mdandFINDINGS-DETAIL.md. -
Structured output: writes
findings.json, checked byvalidate-findings.cjs. - Independent verification: fresh agents recheck every claim against source.

The agent runs joernctl on the host. It talks HTTP to gateway.py in the container, which drives a standalone Joern server over its WebSocket protocol. Only the gateway port (127.0.0.1:8099) is exposed. Joern stays inside the container.
cd joern-gateway
docker compose up -d --build
./joernctl health
./joernctl import /work/target
./joernctl query 'cpg.call.name("system").reachableByFlows(cpg.parameter).p'- Only report what you can exploit. Every finding needs a concrete attack scenario.
- Adversarial validation. The agent that checks a finding is never the agent that found it.
- Severity requires impact. Likelihood and impact combined, not deviation from a checklist.
- Defense-in-depth gaps are not vulnerabilities. They are hardening notes.
- Multiple runs improve coverage.