Last week, a solo founder ran /security-audit on his SaaS codebase. Claude Code found 23 vulnerabilities in 47 minutes — including an SQL injection that had been live for 8 months. A professional audit would have cost him $15K and taken 3 weeks. He fixed everything that afternoon.
This guide shows you the exact same process. You’ll get copy-paste commands for scanning OWASP vulnerabilities, weak auth, exposed secrets, and dependency CVEs — all using Claude Code’s built-in security skills.
TL;DR: Run
/security-auditin Claude Code to scan your entire codebase. It checks for OWASP Top 10 vulnerabilities, reviews dependencies for CVEs, audits auth/config, and generates a prioritized fix list. Get the security audit skill free →
What you’ll need: Claude Code installed (setup guide if not). If you’re still writing security prompts from scratch, read why reusable skills beat one-off prompts first — it’ll save you hours.
Jump to what you need:
What an AI-Powered Security Audit Covers (5 Phases)
Here’s what Claude Code checks — and what most teams miss until it’s too late:
1. Static Code Analysis
- SQL injection vulnerabilities
- Cross-site scripting (XSS) risks
- Insecure deserialization
- Hardcoded credentials
- Weak cryptography
- Missing input validation
2. Dependency Analysis
- Known CVEs in your packages
- Outdated libraries
- License compliance issues
- Dependency bloat
3. Configuration Review
- Exposed environment variables
- Weak authentication setup
- Missing encryption
- Overly permissive access controls
- Misconfigured cloud resources
4. Architecture Review
- Data flow security
- API security
- Authentication/authorization patterns
- Session management
- CSRF protection
5. Compliance Checks
- GDPR data handling
- PCI DSS for payment processing
- SOC 2 readiness
- HIPAA requirements
- Industry-specific standards
Want to run this audit right now? The free Claude Skills 360 starter kit includes the /security-audit skill — no credit card, 2-minute install. It covers all 5 phases above in a single command.
🔒 Quick Security Self-Check
Before running the full audit, see how your codebase scores on these common vulnerabilities. Check each item you’re confident about:
Setting Up Your Security Audit Agent
Step 1: Prepare Your Codebase
# Export your code structure (not node_modules)
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" -o -name "*.py" \) -not -path "*/node_modules/*" -not -path "*/.git/*" > code-manifest.txt
# Count files
wc -l code-manifest.txt # Should be manageable numberStep 2: Create a Security Audit Profile
# Security Audit Profile
## Application Details
- Name: [Your App]
- Type: Web / Mobile / API / SaaS
- Stack: Next.js + Node.js + PostgreSQL
- Data Sensitivity: High (stores payment info, PII)
- Users: 5,000+ active users
- Compliance: SOC 2, GDPR, PCI DSS
## Attack Surface
- Web: https://app.example.com
- API: https://api.example.com/v1
- Mobile: iOS and Android apps
- Third-party integrations: Stripe, SendGrid, AWS
## Known Constraints
- Legacy code in /legacy/ directory
- Payment processing via Stripe (PCI compliance delegated)
- Authentication: NextAuth with OAuth providers
- Deployment: AWS ECS + RDS
## Previous Issues
- SQL injection in user search (fixed v1.3)
- XSS in comments (fixed v1.2)
- Exposed API keys (fixed v1.1)
## Audit Goals
1. Find unknown vulnerabilities
2. Assess compliance readiness
3. Prioritize remediation
4. Document security controlsStep 3: Invoke the Security Audit Agent
/security-audit-agent
Run a comprehensive audit on my codebase:
1. Scan for OWASP Top 10 vulnerabilities
2. Check all dependencies for CVEs
3. Review authentication/authorization
4. Assess data handling practices
5. Check compliance with SOC 2
6. Generate risk-rated findings
7. Provide remediation steps
Use this profile: [paste your security audit profile]
Focus on critical and high-risk issues first.Claude Code will systematically:
- Read your code
- Analyze each file for vulnerabilities
- Check dependencies
- Cross-reference against known vulnerabilities
- Generate findings with risk scores
- Suggest fixes
OWASP Top 10 and What to Look For
Here’s a quick reference before we dive into code examples:
| # | Vulnerability | One-Line Check | Severity |
|---|---|---|---|
| 1 | Broken Access Control | Are admin routes checking permissions? | Critical |
| 2 | Cryptographic Failures | Are passwords hashed? Is data encrypted? | Critical |
| 3 | Injection | Are queries parameterized? | Critical |
| 4 | Insecure Design | Can users guess URLs to access files? | High |
| 5 | Security Misconfiguration | Is debug mode off in production? | High |
| 6 | Vulnerable Components | When did you last run npm audit? | High |
| 7 | Auth Failures | What’s your password policy? | Critical |
| 8 | Integrity Failures | Are API responses verified? | Medium |
| 9 | Logging Failures | Could you detect an attack right now? | Medium |
| 10 | SSRF | Can users make your server fetch URLs? | High |
Each section below shows the vulnerable pattern and the fix. /security-audit checks all of these automatically — get it free here.
1. Broken Access Control
What it means: Users can access resources they shouldn’t.
// ❌ VULNERABLE: No permission check
app.get("/admin/users/:id", async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// ✅ SECURE: Verify admin status
app.get("/admin/users/:id", async (req, res) => {
if (!req.user.isAdmin) {
return res.status(403).json({ error: "Forbidden" });
}
const user = await User.findById(req.params.id);
res.json(user);
});2. Cryptographic Failures
What it means: Sensitive data isn’t encrypted or uses weak encryption.
// ❌ VULNERABLE: Storing passwords in plain text
db.users.insert({ email, password });
// ✅ SECURE: Hash passwords
const hashedPassword = await bcrypt.hash(password, 10);
db.users.insert({ email, password: hashedPassword });3. Injection
What it means: Untrusted input is executed as code.
// ❌ VULNERABLE: SQL injection
const query = `SELECT * FROM users WHERE email = '${email}'`;
// ✅ SECURE: Parameterized queries
const query = "SELECT * FROM users WHERE email = ?";
db.query(query, [email]);4. Insecure Design
What it means: The architecture lacks security by design.
Vulnerable pattern:
- User can download any file by guessing URLs
- Password resets allow account takeover
- No rate limiting on login attempts
Secure pattern:
- File access requires ownership check
- Password reset requires email verification
- Rate limiting on sensitive endpoints
5. Security Misconfiguration
What it means: Security features are disabled or misconfigured.
// ❌ VULNERABLE: Debug mode enabled in production
if (process.env.NODE_ENV !== "production") {
app.use(morgan("combined"));
}
// ✅ SECURE: Never expose debug info
app.use(helmet());6. Vulnerable and Outdated Components
What it means: You’re using packages with known vulnerabilities.
# Check for known CVEs
npm audit
# Result: 15 vulnerabilities found
# Fix: npm audit fix7. Authentication Failures
What it means: Weak or broken authentication mechanisms.
// ❌ VULNERABLE: Weak password requirements
if (password.length >= 4) {
// accept password
}
// ✅ SECURE: Strong password policy
const strongPassword = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$/;
if (!strongPassword.test(password)) {
throw new Error("Password too weak");
}8. Software and Data Integrity Failures
What it means: Updates or data transfers aren’t verified.
// ❌ VULNERABLE: No signature verification on API responses
const data = await fetch(externalAPI).then(r => r.json());
// ✅ SECURE: Verify signature
const signature = response.headers.get("x-signature");
const verified = verifySignature(data, signature, secretKey);
if (!verified) throw new Error("Invalid signature");9. Logging and Monitoring Failures
What it means: You can’t detect attacks because there’s no logging.
// ❌ VULNERABLE: No audit trail
db.users.update({ id }, { role: "admin" });
// ✅ SECURE: Log all critical actions
logger.info("User role changed", {
userId: id,
newRole: "admin",
changedBy: req.user.id,
timestamp: new Date()
});10. Server-Side Request Forgery (SSRF)
What it means: Your server makes requests to untrusted URLs.
// ❌ VULNERABLE: SSRF
app.get("/fetch-url", async (req, res) => {
const data = await fetch(req.query.url);
res.json(await data.json());
});
// ✅ SECURE: Whitelist URLs
const allowedDomains = ["trusted1.com", "trusted2.com"];
if (!allowedDomains.some(domain => req.query.url.includes(domain))) {
return res.status(400).json({ error: "Domain not allowed" });
}Related: If you’re building autonomous workflows around security, see how to build autonomous agents with Claude Code — you can chain the security audit into your CI/CD pipeline.
The /security-audit skill checks all 10 OWASP categories in one pass. It reads your codebase, flags vulnerable patterns like the examples above, and generates a prioritized fix list with severity scores. Most codebases take 30-60 minutes. Try it free →
Running the Audit in Practice
Phase 1: Code Review (2-3 hours)
Analyze my codebase for:
- All OWASP Top 10 vulnerabilities
- Common security mistakes
- Authentication weaknesses
- Data exposure risks
Create a detailed report with:
- Vulnerability name
- Location (file + line)
- Severity (Critical/High/Medium/Low)
- Explanation
- Proof of concept
- Remediation stepsClaude systematically scans your code and generates findings.
Phase 2: Dependency Audit (30 min)
Check all dependencies in package.json for:
- Known CVEs
- End-of-life packages
- Unnecessary dependencies
- License violations
Generate a list prioritized by severity:
- Critical vulnerabilities = update immediately
- High vulnerabilities = update this release
- Medium vulnerabilities = next release
- Low vulnerabilities = monitorPhase 3: Configuration Review (1-2 hours)
Review these files for configuration issues:
- .env (sample)
- docker-compose.yml
- nginx.conf
- database setup scripts
- authentication setup
- API security headers
Check for:
- Exposed secrets
- Default credentials
- Unnecessary permissions
- Missing security headers
- Weak TLS configurationPhase 4: Architecture Assessment (1-2 hours)
Review the architecture for:
- API security (authentication, rate limiting, validation)
- Data flow (where does sensitive data go?)
- Access control (who can do what?)
- Session management
- CSRF protection
- Input validation
Create a security architecture diagram showing:
- External threats
- Internal data flows
- Security controls
- GapsRisk Scoring and Prioritization
Not all issues are equal. The audit should score issues by risk:
Risk = Severity × Exploitability × Impact
CRITICAL: Severity 10 × Exploitability 10 × Impact 10
→ Fix immediately, possibly deploy emergency patch
→ Examples: SQL injection, hardcoded passwords, SSRF
HIGH: Severity 10 × Exploitability 7 × Impact 8
→ Fix in this release cycle
→ Examples: Missing rate limiting, weak auth
MEDIUM: Severity 7 × Exploitability 5 × Impact 6
→ Fix in next 1-2 releases
→ Examples: Missing security headers, verbose error messages
LOW: Severity 3 × Exploitability 3 × Impact 3
→ Track and fix when convenient
→ Examples: Outdated package versions, code style issuesFocus on critical issues first. A 2x2 matrix helps:
High Impact | Low Impact
High CRITICAL | MEDIUM
Exploitability
Low MEDIUM | LOW
ExploitabilityRemediation Workflow
For each finding:
- Understand: Claude explains the vulnerability in detail
- Reproduce: Claude provides a proof-of-concept showing the issue
- Fix: Claude generates patched code
- Test: You verify the fix works
- Deploy: You merge and ship
- Verify: Claude confirms the issue is resolved
Example fix generation:
Finding: SQL injection in /api/search endpoint
Current code:
const query = `SELECT * FROM products WHERE name LIKE '%${searchTerm}%'`;
Generate a fixed version that:
- Uses parameterized queries
- Validates input length
- Escapes special characters
- Maintains the same functionality
- Includes unit tests for the fixOngoing Security
An audit is a snapshot. Real security is continuous — and Claude Code workflow automation makes it easy to schedule recurring scans:
1. Set Up Dependency Scanning
# Check for CVEs on every dependency update
npm audit fix --audit-level=moderate2. Add Pre-Commit Hooks
# Prevent hardcoded credentials from being committed
npx husky add .husky/pre-commit "npx detect-secrets scan"3. Automated Code Scanning
# GitHub Actions: Run security scan on every PR
name: Security Audit
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: npm audit
- run: npm test4. Monthly Reviews
Set a calendar reminder to run the security audit monthly. Track:
- New vulnerabilities discovered
- Time to fix critical issues
- Trends in vulnerability types
- Team education opportunities
Tools to Complement Claude Code Audits
- OWASP ZAP: Automated dynamic security scanning
- npm audit: Dependency vulnerability checking
- SonarQube: Code quality and security
- Snyk: Continuous vulnerability monitoring
- Burp Suite Community: Manual penetration testing (advanced)
Use Claude for understanding and comprehensive analysis. Use specialized tools for continuous monitoring.
Reporting Results
Create an audit report for stakeholders:
# Security Audit Report — Q1 2026
## Executive Summary
- Total findings: 47
- Critical: 3 (must fix immediately)
- High: 8 (fix this release)
- Medium: 18 (fix next release)
- Low: 18 (monitor)
## Critical Issues
1. SQL injection in user search
2. Hardcoded AWS credentials
3. Missing CSRF protection
## Compliance Status
- SOC 2: Not ready (3 critical findings must be fixed)
- GDPR: Ready (data deletion implemented)
- PCI DSS: N/A (payment processing delegated to Stripe)
## Recommendations
1. Fix all critical issues before next release
2. Add pre-commit hooks to prevent credential leaks
3. Implement security testing in CI/CD
4. Schedule quarterly auditsQuick-Start Checklist
If you skimmed here, this is the 5-step action plan:
- Install the security audit skill — free, takes 2 minutes
- Run
/security-auditon your codebase — 30-60 min for most projects - Fix critical issues first — SQL injection, hardcoded secrets, broken auth
- Set up
npm auditin CI — catches new CVEs on every pull request - Schedule monthly re-audits — use cron jobs with Claude Code to automate it
Already found vulnerabilities? The full Claude Skills 360 suite includes /security-patch, /vulnerability-scanner, and /pentest-checklist — purpose-built skills for fixing what the audit finds. Compare free vs full →
Related Security Skills in Claude Skills 360
The /security-audit skill is just the start. Here’s what the full bundle includes for security workflows:
| Skill | What It Does |
|---|---|
/security-audit | Full OWASP Top 10 scan with prioritized findings |
/security-scan | Quick vulnerability sweep for CI/CD pipelines |
/vulnerability-scanner | Deep CVE + dependency analysis |
/pentest-checklist | Structured penetration testing workflow |
/security-check | Pre-deploy security gate — blocks risky code |
/security-review | Pull request security review with inline comments |
All 6 skills are included in the free starter kit (360 skills across 9 categories). Need the full arsenal? Get lifetime access to 2,350+ skills for $39 →
Conclusion
Security audits don’t require $15K consultants anymore. Claude Code identifies vulnerabilities, explains impact, and generates fixes — in hours, not weeks.
Your audit will find issues. That’s the point. The value isn’t a perfect score — it’s knowing what’s wrong before attackers do.
Start now: Get the free security audit skill and run it on your codebase today. You’ll have a prioritized vulnerability list before lunch. Ready for the full security toolkit? See all plans →
Frequently Asked Questions
How often should I run AI-powered security audits?
Run a full audit at least quarterly, with automated dependency scanning on every commit. Claude Skills 360 includes security audit skills that can be integrated into your CI/CD pipeline for continuous scanning, plus a monthly review agent that catches new vulnerabilities as they’re disclosed.
Can I try Claude Code skills for free?
Yes — Claude Skills 360 offers a free starter kit with 360 skills across 9 categories. No credit card required. If you want the full suite of 2,350+ skills, 45+ agents, and 12 swarms, you can upgrade for a one-time $39.