{"id":49852298,"url":"https://github.com/nerdy-krishna/securecoder","last_synced_at":"2026-05-17T00:12:21.999Z","repository":{"id":357862641,"uuid":"1238852943","full_name":"nerdy-krishna/securecoder","owner":"nerdy-krishna","description":"Installable AI-agent skill bundle for OWASP-driven code scanning, fixing, and secure-build supervision. Multi-host (Claude Code, Cursor, Codex, etc). Distilled from the SCCAP platform. Distributed via skills.sh.","archived":false,"fork":false,"pushed_at":"2026-05-14T15:32:20.000Z","size":276,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-14T16:45:22.080Z","etag":null,"topics":["agent-skills","asvs","claude-code","owasp","sast","secure-coding","security","semgrep","skills-sh"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nerdy-krishna.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-14T14:13:08.000Z","updated_at":"2026-05-14T15:32:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nerdy-krishna/securecoder","commit_stats":null,"previous_names":["nerdy-krishna/securecoder"],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/nerdy-krishna/securecoder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdy-krishna%2Fsecurecoder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdy-krishna%2Fsecurecoder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdy-krishna%2Fsecurecoder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdy-krishna%2Fsecurecoder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nerdy-krishna","download_url":"https://codeload.github.com/nerdy-krishna/securecoder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdy-krishna%2Fsecurecoder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33034788,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T13:14:54.681Z","status":"online","status_checked_at":"2026-05-14T02:00:06.663Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-skills","asvs","claude-code","owasp","sast","secure-coding","security","semgrep","skills-sh"],"created_at":"2026-05-14T17:01:09.473Z","updated_at":"2026-05-14T17:02:04.477Z","avatar_url":"https://github.com/nerdy-krishna.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# securecoder\n\nAn installable collection of AI-agent skills that audits, fixes, and supervises code against OWASP security frameworks. Works inside Claude Code, Cursor, Codex, Cline, Copilot, Windsurf, Gemini, and other agent hosts.\n\nsecurecoder is **fully agent-driven**. No server, no daemon, no API keys. It fetches SAST tools (Semgrep, Bandit, Gitleaks, OSV-scanner) and OWASP framework markdown (ASVS, MASVS, Cheatsheets, Proactive Controls) at runtime on your machine — nothing is sent to a third party by the skill itself.\n\n\u003e **Status:** v1.0.0 — stable initial release. All seven skills functional.\n\n## Quickstart\n\nInstall once:\n\n```bash\nnpx skills@latest add nerdy-krishna/securecoder\n```\n\nThe skills.sh installer detects every coding agent on your machine and offers to install securecoder into each one. Pick the ones you use.\n\nThen from any project:\n\n```text\n/securecoder-setup # one-time team config (3 minutes)\n/securecoder-scan # audit your code\n/securecoder-fix # remediate findings\n```\n\nThat's the minimum path. The other four skills add specific value — see [§ The seven skills](#the-seven-skills) below.\n\n## How the skills chain together\n\n```\n ┌─────────────────────┐\n │ /securecoder-setup │ one-time config\n └──────────┬──────────┘\n │ writes .securecoder/config.json\n ▼\n ┌─────────────────────────────────────────────────────────────────┐\n │ │\n │ Auditing existing code │\n │ ───────────────────── │\n │ /securecoder-scan → /securecoder-fix → /securecoder-scan │\n │ (audit) (remediate) (verify) │\n │ │\n │ OR the easy-button equivalent: │\n │ /securecoder-secure (does all the above in one approval) │\n │ │\n └─────────────────────────────────────────────────────────────────┘\n\n ┌─────────────────────────────────────────────────────────────────┐\n │ │\n │ In-flight work / new projects │\n │ ───────────────────────────── │\n │ /securecoder-build ─→ (you work with the agent, supervised) │\n │ /securecoder-review ←─ pre-commit gate on each change set │\n │ │\n └─────────────────────────────────────────────────────────────────┘\n\n ┌─────────────────────────────────────────────────────────────────┐\n │ │\n │ Q\u0026A and learning │\n │ ─────────────── │\n │ /securecoder-advise any time, grounded in framework docs │\n │ │\n └─────────────────────────────────────────────────────────────────┘\n```\n\n## The seven skills\n\n| Skill | One-line purpose | When to invoke it | Follow up with |\n| --- | --- | --- | --- |\n| `/securecoder-setup` | Configure frameworks, severity floor, fix scope, push strategy. | Once when adopting securecoder, or when team preferences change. | `/securecoder-scan` |\n| `/securecoder-scan` | Audit your code — SAST (Semgrep, Bandit, Gitleaks, OSV) and/or ASVS/MASVS LLM compliance. | When you want to know what's wrong before changing anything. | `/securecoder-fix` |\n| `/securecoder-fix` | Apply fixes to a previous scan's findings, with full safety loop. | After `/securecoder-scan`, to remediate. | `/securecoder-scan` (verify) |\n| `/securecoder-secure` | Easy-button pipeline: scan → fix → compliance scan → fix → report, one approval. | When you don't want to choose between scan modes — let the pipeline do the right thing. | `/securecoder-review` (next commit) |\n| `/securecoder-review` | Diff-scoped review of staged or branch changes. Pre-commit gate. | Right before you commit / push. | `/securecoder-fix` (if findings) |\n| `/securecoder-build` | Activate persistent ASVS supervision for the rest of the chat session. | When starting new feature work or a fresh project. | `/securecoder-review` (each substantive change) |\n| `/securecoder-advise` | Q\u0026A grounded in cached framework markdown. Verbatim citations. | When you don't understand a finding, want to look up a control, or are weighing a design choice. | (no specific follow-up — read and learn) |\n\n### Example invocations\n\n```text\n# First-time setup\n/securecoder-setup\n\n# Audit a Python repo for SAST + ASVS compliance\n/securecoder-scan\n# At the mode prompt: \"Both\"\n\n# Apply fixes to the latest scan, critical and high severity only\n/securecoder-fix\n# At the scope prompt: \"Critical + High\"\n\n# Specific run by id (e.g., to redo a previous fix)\n/securecoder-fix run 20260514T140000Z\n\n# Roll back the last fix run\n/securecoder-fix --restore 20260514T143000Z\n# or natural language: \"undo my last sccap-fix\"\n\n# Easy button — entire pipeline, one approval\n/securecoder-secure\n\n# Pre-commit review of staged changes only\n/securecoder-review\n\n# Pre-PR review of your feature branch vs main\n/securecoder-review\n# At the scope prompt: \"Branch vs base\"\n\n# Install the SAST-only pre-commit hook\n/securecoder-review\n# At the scope prompt: \"Install pre-commit hook\"\n\n# Activate secure-build mode for the rest of this session\n/securecoder-build\n\n# Ask a security question\n/securecoder-advise \"How do I prevent SSRF in this codebase?\"\n\n# Look up a specific ASVS control\n/securecoder-advise \"Explain ASVS V1.2.1\"\n\n# Deep-dive on a specific finding from your last scan\n/securecoder-advise\n# At the mode prompt: \"Specific finding deep-dive\"\n# Then provide the finding ID prefix\n```\n\nDetailed per-skill guides live at [`docs/guides/per-skill/`](docs/guides/per-skill/).\n\n## Common scenarios\n\n| Scenario | Recommended sequence |\n| --- | --- |\n| **I just inherited a codebase** | `/securecoder-setup` → `/securecoder-secure` → review the `report.html` |\n| **Starting a new project** | `/securecoder-setup` → `/securecoder-build` (then code with the agent) → `/securecoder-review` before each commit |\n| **About to open a PR** | `/securecoder-review` (scope: branch vs base) → `/securecoder-fix` if findings |\n| **Casual learning** | `/securecoder-advise \"\u003cquestion\u003e\"` — no setup required if you've run a scan once to populate the framework cache |\n| **Compliance audit deliverable** | `/securecoder-scan` (mode: LLM compliance only) → share the `report.html` and the compliance-posture section |\n| **A finding looks wrong** | `/securecoder-advise` (mode: specific finding deep-dive) — see the verbatim ASVS text + why securecoder flagged it |\n| **Rolling back a bad fix** | `/securecoder-fix --restore \u003crun-id\u003e` |\n\nFull scenario walkthroughs: [`docs/guides/scenarios.md`](docs/guides/scenarios.md).\n\n## What gets installed where\n\n```\n\u003cyour project\u003e/\n└── .securecoder/\n ├── config.json team-shared (checked in)\n ├── .gitignore (auto-generated)\n ├── runs/\u003cid\u003e/ scan / fix runs (gitignored)\n └── reviews/\u003cid\u003e/ diff-scoped reviews (gitignored)\n\n\u003cyour home cache\u003e/ (~/.cache/securecoder/ on Linux, ~/Library/Caches/securecoder/ on macOS, %LOCALAPPDATA%\\securecoder\\ on Windows)\n├── tools/\n│ ├── semgrep/ pipped into a private venv\n│ ├── bandit/ ditto\n│ ├── gitleaks/ GitHub release binary\n│ └── osv-scanner/ GitHub release binary\n└── rules/\n ├── semgrep/\u003csha\u003e/ returntocorp/semgrep-rules cloned, content-addressed\n └── frameworks/\n ├── asvs/\u003csha\u003e/ OWASP/ASVS cloned, content-addressed\n ├── masvs/\u003csha\u003e/\n └── proactive-controls/\u003csha\u003e/\n```\n\nThe skill **never modifies anything outside `\u003cyour project\u003e/.securecoder/` and `\u003cyour home cache\u003e/securecoder/`** unless you explicitly run `/securecoder-fix` (or `/securecoder-secure`) which writes to your source files. Even then, every modified file is backed up first.\n\n## Privacy\n\nsecurecoder itself **never sends source code anywhere**. It performs these network operations:\n\n- `git clone` over HTTPS against the official OWASP and Semgrep rule repos (and any explicit custom sources)\n- HTTPS POST to `api.osv.dev` with dependency package names + versions (no source code)\n- HTTPS download of Gitleaks and OSV-scanner release binaries from GitHub\n- `git push` only if your configured push strategy says to, and only to your own remote\n\n**LLM calls send source code to whichever model provider your coding agent uses** — Anthropic, OpenAI, Google, etc. This is your existing relationship with that provider; securecoder doesn't introduce a new vendor. The compliance-scan, fix, build, and review skills inherently include source in prompts.\n\nYou can run securecoder fully offline once tools and rule packs are cached.\n\n## How it relates to SCCAP\n\nThis project distills the OWASP-driven scan/fix workflow from the [SCCAP platform](https://github.com/nerdy-krishna/ai-secure-coding-compliance-platform) into a portable, server-less skill bundle. SCCAP remains the heavyweight server-side answer (FastAPI, multi-agent LangGraph, Postgres, RabbitMQ, dashboards, multi-user). securecoder is the lightweight agent-resident answer for individual developers and small teams who want the same audit-first discipline without standing up infrastructure.\n\nThe two projects share design intent but have **no runtime dependency on each other**.\n\n## Design and contributing\n\n- [`docs/design.md`](docs/design.md) — every architectural decision, schema, and protocol\n- [`docs/prd.md`](docs/prd.md) — user-story-driven requirements\n- [`docs/issues/`](docs/issues/) — 14 implementation slices, dependency-ordered\n- [`docs/guides/`](docs/guides/) — usage walkthroughs and per-skill deep dives\n- [`CHANGELOG.md`](CHANGELOG.md) — full release history from v0.1.0 onwards\n\nContributions welcome. The simplest path:\n\n1. Pick a slice from `docs/issues/` that lists outstanding test work, or open a discussion for a new feature.\n2. Open a PR with the implementation + tests if applicable.\n3. The two HITL-tagged slices (07 ASVS prompt, 11 build-mode policy) need maintainer review of their literal text since it directly shapes agent behavior.\n\n## License\n\n[MIT](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnerdy-krishna%2Fsecurecoder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnerdy-krishna%2Fsecurecoder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnerdy-krishna%2Fsecurecoder/lists"}