Skip to content

v0.1.0 — first public release

Choose a tag to compare

@give-jd give-jd released this 09 Jul 21:26
64bad2c

First public release. 🎉

deep-security-check is a defensive, read-only security assessment skill for Claude Code: point it at a local project and get a report with a reproducible reliability grade (0–100, A–F) — the number comes from a deterministic rubric (score.py), not model opinion.

What's inside

  • SAST — Semgrep (p/default ruleset)
  • SCA — osv-scanner (dependency CVEs via OSV.dev)
  • Secrets — gitleaks
  • Dynamic-test surfacesurface.py, a static zero-traffic pass that flags where a DAST run would look (permissive CORS, missing security headers, insecure cookies, debug/bind-all config). Advisory only, never changes the grade.
  • Deterministic scoring with per-severity penalties, caps and ceilings (any critical → ≤69, any high → ≤84) + assessment_confidence that tells you how much to trust the score itself. Verify the rubric with score.py --selfcheck.
  • Graceful degradation: runs with whatever scanners are on PATH; missing tools lower confidence, never crash the scan.

Install

/plugin marketplace add give-jd/deep-security-check
/plugin install deep-security-check@give-security

Then ask Claude: "how reliable is this project, security-wise?"

Works standalone too (no Claude required) — see README.

Scope

Static analysis only. Reads the project, never modifies it, never sends traffic to live or remote targets. Defensive use only — it is not a penetration test.