An installable collection of AI-agent skills that audits, fixes, and supervises code against OWASP security frameworks. Works inside Claude Code, Cursor, Codex, Cline, Copilot, Windsurf, Gemini, and other agent hosts.
securecoder is fully agent-driven. No server, no daemon, no API keys. It fetches SAST tools (Semgrep, Bandit, Gitleaks, OSV-scanner) and OWASP framework markdown (ASVS, MASVS, Cheatsheets, Proactive Controls) at runtime on your machine — nothing is sent to a third party by the skill itself. Compliance scans always run a bundled, language-agnostic baseline framework (secure-coding-essentials), so non-web code gets a real audit too.
Status: v1.3.0 — nine skills functional. v1.3.0 adds the
secure-coding-essentialsuniversal baseline framework (always runs — memory safety, integer handling, concurrency, etc.), framework fit-detection that warns when an overlay like ASVS doesn't fit the repo and suggests a better one, per-framework control-ID regexes, and 15 new pytest cases (98 total).
Install once:
npx skills@latest add nerdy-krishna/securecoderThe skills.sh installer detects every coding agent on your machine and offers to install securecoder into each one. Pick the ones you use.
Then from any project:
/securecoder-setup # one-time team config (3 minutes)
/securecoder-scan # audit your code
/securecoder-fix # remediate findings
That's the minimum path. The other four skills add specific value — see § The seven skills below.
┌─────────────────────┐
│ /securecoder-setup │ one-time config
└──────────┬──────────┘
│ writes .securecoder/config.json
▼
┌─────────────────────────────────────────────────────────────────┐
│ │
│ Auditing existing code │
│ ───────────────────── │
│ /securecoder-scan → /securecoder-fix → /securecoder-scan │
│ (audit) (remediate) (verify) │
│ │
│ OR the easy-button equivalent: │
│ /securecoder-secure (does all the above in one approval) │
│ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ │
│ In-flight work / new projects │
│ ───────────────────────────── │
│ /securecoder-build ─→ (you work with the agent, supervised) │
│ /securecoder-review ←─ pre-commit gate on each change set │
│ │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ │
│ Q&A and learning │
│ ─────────────── │
│ /securecoder-advise any time, grounded in framework docs │
│ │
└─────────────────────────────────────────────────────────────────┘
| Skill | One-line purpose | When to invoke it | Follow up with |
|---|---|---|---|
/securecoder-setup |
Configure overlay frameworks, severity floor, fix scope, push strategy, framework-fit threshold. | Once when adopting securecoder, or when team preferences change. | /securecoder-scan |
/securecoder-scan |
Audit your code — SAST (Semgrep, Bandit, Gitleaks, OSV) and/or LLM compliance (baseline secure-coding-essentials + any ASVS/MASVS overlays). Warns on poor framework fit. |
When you want to know what's wrong before changing anything. | /securecoder-fix |
/securecoder-fix |
Apply fixes to a previous scan's findings, with full safety loop. | After /securecoder-scan, to remediate. |
/securecoder-scan (verify) |
/securecoder-secure |
Easy-button pipeline: scan → fix → compliance scan → fix → report, one approval. | When you don't want to choose between scan modes — let the pipeline do the right thing. | /securecoder-review (next commit) |
/securecoder-review |
Diff-scoped review of staged or branch changes. Pre-commit gate. | Right before you commit / push. | /securecoder-fix (if findings) |
/securecoder-build |
Activate persistent ASVS supervision for the rest of the chat session. | When starting new feature work or a fresh project. | /securecoder-review (each substantive change) |
/securecoder-advise |
Q&A grounded in cached framework markdown. Verbatim citations. | When you don't understand a finding, want to look up a control, or are weighing a design choice. | (no specific follow-up — read and learn) |
/securecoder-suppress |
Mark findings as false positives. Team-shared via .securecoder/suppressions.json. |
When a finding is wrong or expected. Also via the HTML report's per-finding/cluster Suppress UI. | /securecoder-scan (re-run for effect) |
/securecoder-update |
Check whether installed securecoder is current. Reports latest release + the install command if an upgrade exists. | Periodically (~monthly). Read-only; never modifies anything. | (run the install command if an upgrade is offered) |
# First-time setup
/securecoder-setup
# Audit a Python repo for SAST + ASVS compliance
/securecoder-scan
# At the mode prompt: "Both"
# Apply fixes to the latest scan, critical and high severity only
/securecoder-fix
# At the scope prompt: "Critical + High"
# Specific run by id (e.g., to redo a previous fix)
/securecoder-fix run 20260514T140000Z
# Roll back the last fix run
/securecoder-fix --restore 20260514T143000Z
# or natural language: "undo my last sccap-fix"
# Easy button — entire pipeline, one approval
/securecoder-secure
# Pre-commit review of staged changes only
/securecoder-review
# Pre-PR review of your feature branch vs main
/securecoder-review
# At the scope prompt: "Branch vs base"
# Install the SAST-only pre-commit hook
/securecoder-review
# At the scope prompt: "Install pre-commit hook"
# Activate secure-build mode for the rest of this session
/securecoder-build
# Ask a security question
/securecoder-advise "How do I prevent SSRF in this codebase?"
# Look up a specific ASVS control
/securecoder-advise "Explain ASVS V1.2.1"
# Deep-dive on a specific finding from your last scan
/securecoder-advise
# At the mode prompt: "Specific finding deep-dive"
# Then provide the finding ID prefix
# Mark a finding as a false positive (v1.1.0)
/securecoder-suppress 5823722d "Validated upstream by middleware"
# Mark a pattern as a false positive
/securecoder-suppress add --match "rule=B105 and file_glob=tests/**" --reason "Test fixtures"
# Or annotate the source directly (v1.2.0)
# Inside any source file:
# # securecoder: ignore reason="..."
# Inline at end of code line:
# PASSWORD = "x" # securecoder: ignore reason="dev only"
# Check whether you're on the latest securecoder release (v1.2.0)
/securecoder-update
Detailed per-skill guides live at docs/guides/per-skill/.
| Scenario | Recommended sequence |
|---|---|
| I just inherited a codebase | /securecoder-setup → /securecoder-secure → review the report.html |
| Starting a new project | /securecoder-setup → /securecoder-build (then code with the agent) → /securecoder-review before each commit |
| About to open a PR | /securecoder-review (scope: branch vs base) → /securecoder-fix if findings |
| Casual learning | /securecoder-advise "<question>" — no setup required if you've run a scan once to populate the framework cache |
| Compliance audit deliverable | /securecoder-scan (mode: LLM compliance only) → share the report.html and the compliance-posture section |
| Scanning non-web code (C / Rust / embedded) | /securecoder-scan → at the fit warning pick "recommended" — the secure-coding-essentials baseline audits it; ASVS is skipped |
| A finding looks wrong | /securecoder-advise (mode: specific finding deep-dive) — see the verbatim ASVS text + why securecoder flagged it |
| Rolling back a bad fix | /securecoder-fix --restore <run-id> |
Full scenario walkthroughs: docs/guides/scenarios.md.
<your project>/
├── .gitignore securecoder-managed block keeps scan output out of git
└── .securecoder/
├── config.json team-shared (checked in)
├── .gitignore (auto-generated backstop)
├── runs/<id>/ scan / fix runs (gitignored)
└── reviews/<id>/ diff-scoped reviews (gitignored)
<your home cache>/ (~/.cache/securecoder/ on Linux, ~/Library/Caches/securecoder/ on macOS, %LOCALAPPDATA%\securecoder\ on Windows)
├── tools/
│ ├── semgrep/ pipped into a private venv
│ ├── bandit/ ditto
│ ├── gitleaks/ GitHub release binary
│ └── osv-scanner/ GitHub release binary
└── rules/
├── semgrep/<sha>/ returntocorp/semgrep-rules cloned, content-addressed
└── frameworks/
├── asvs/<sha>/ OWASP/ASVS cloned, content-addressed
├── masvs/<sha>/
└── proactive-controls/<sha>/
The skill never modifies anything outside <your project>/.securecoder/ and <your home cache>/securecoder/ — with one narrow exception: /securecoder-scan maintains a sentinel-fenced block in your project-root .gitignore so scan output (the full list of discovered vulnerabilities) stays out of commits. It's configurable via git.gitignore_strategy in config.json; set it to none to opt out. Your source files are modified only when you explicitly run /securecoder-fix (or /securecoder-secure) — and even then, every modified file is backed up first.
securecoder itself never sends source code anywhere. It performs these network operations:
git cloneover HTTPS against the official OWASP and Semgrep rule repos (and any explicit custom sources)- HTTPS POST to
api.osv.devwith dependency package names + versions (no source code) - HTTPS download of Gitleaks and OSV-scanner release binaries from GitHub
git pushonly if your configured push strategy says to, and only to your own remote
LLM calls send source code to whichever model provider your coding agent uses — Anthropic, OpenAI, Google, etc. This is your existing relationship with that provider; securecoder doesn't introduce a new vendor. The compliance-scan, fix, build, and review skills inherently include source in prompts.
You can run securecoder fully offline once tools and rule packs are cached.
This project distills the OWASP-driven scan/fix workflow from the SCCAP platform into a portable, server-less skill bundle. SCCAP remains the heavyweight server-side answer (FastAPI, multi-agent LangGraph, Postgres, RabbitMQ, dashboards, multi-user). securecoder is the lightweight agent-resident answer for individual developers and small teams who want the same audit-first discipline without standing up infrastructure.
The two projects share design intent but have no runtime dependency on each other.
docs/design.md— every architectural decision, schema, and protocoldocs/prd.md— user-story-driven requirementsdocs/issues/— open implementation issues (shipped slices retired; see the CHANGELOG for history)docs/guides/— usage walkthroughs and per-skill deep divesdocs/roadmap.md— what's planned for v1.4.0 and beyondCHANGELOG.md— full release history from v0.1.0 onwards
Contributions welcome. The simplest path:
- Pick a slice from
docs/issues/that lists outstanding test work, or open a discussion for a new feature. - Open a PR with the implementation + tests if applicable.
- Any work touching agent-facing literal text (compliance prompts, build-mode policy) needs maintainer review since it directly shapes agent behavior.
MIT.