v0.1.0 — first public release
First public release. 🎉
deep-security-check is a defensive, read-only security assessment skill for Claude Code: point it at a local project and get a report with a reproducible reliability grade (0–100, A–F) — the number comes from a deterministic rubric (score.py), not model opinion.
What's inside
- SAST — Semgrep (
p/defaultruleset) - SCA — osv-scanner (dependency CVEs via OSV.dev)
- Secrets — gitleaks
- Dynamic-test surface —
surface.py, a static zero-traffic pass that flags where a DAST run would look (permissive CORS, missing security headers, insecure cookies, debug/bind-all config). Advisory only, never changes the grade. - Deterministic scoring with per-severity penalties, caps and ceilings (any critical → ≤69, any high → ≤84) +
assessment_confidencethat tells you how much to trust the score itself. Verify the rubric withscore.py --selfcheck. - Graceful degradation: runs with whatever scanners are on
PATH; missing tools lower confidence, never crash the scan.
Install
/plugin marketplace add give-jd/deep-security-check
/plugin install deep-security-check@give-security
Then ask Claude: "how reliable is this project, security-wise?"
Works standalone too (no Claude required) — see README.
Scope
Static analysis only. Reads the project, never modifies it, never sends traffic to live or remote targets. Defensive use only — it is not a penetration test.