testing-security
Security test: DAST OWASP ZAP/Nuclei, SAST Semgrep/Bandit, Snyk/Trivy, detect-secrets/TruffleHog
下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o testing-security.zip https://jpskill.com/download/22282.zip && unzip -o testing-security.zip && rm testing-security.zip$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/22282.zip -OutFile "$d\testing-security.zip"; Expand-Archive "$d\testing-security.zip" -DestinationPath $d -Force; ri "$d\testing-security.zip"完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。
💾 手動でダウンロードしたい(コマンドが難しい人向け)
- 1. 下の青いボタンを押して
testing-security.zipをダウンロード - 2. ZIPファイルをダブルクリックで解凍 →
testing-securityフォルダができる - 3. そのフォルダを
C:\Users\あなたの名前\.claude\skills\(Win)または~/.claude/skills/(Mac)へ移動 - 4. Claude Code を再起動
⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。
🎯 このSkillでできること
下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。
📦 インストール方法 (3ステップ)
- 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
- 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
- 3. 展開してできたフォルダを、ホームフォルダの
.claude/skills/に置く- · macOS / Linux:
~/.claude/skills/ - · Windows:
%USERPROFILE%\.claude\skills\
- · macOS / Linux:
Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。
詳しい使い方ガイドを見る →- 最終更新
- 2026-05-18
- 取得日時
- 2026-05-18
- 同梱ファイル
- 1
📖 Claude が読む原文 SKILL.md(中身を展開)
この本文は AI(Claude)が読むための原文(英語または中国語)です。日本語訳は順次追加中。
testing-security
Purpose
This skill automates security testing by integrating DAST tools (OWASP ZAP, Nuclei), SAST tools (Semgrep, Bandit), SCA tools (Snyk, Trivy), and secrets scanners (detect-secrets, TruffleHog) to identify vulnerabilities in code, applications, and secrets.
When to Use
Use this skill during CI/CD pipelines, before deployments, or for periodic audits; ideal for projects with web apps, APIs, or codebases in languages like Python, Java, or JavaScript where security flaws could lead to breaches.
Key Capabilities
- DAST: Run OWASP ZAP for active scanning of web apps, detecting issues like XSS or SQLi; use Nuclei for custom vulnerability templates.
- SAST: Execute Semgrep for pattern-based code analysis (e.g., YAML rulesets) or Bandit for Python-specific flaws like insecure imports.
- SCA: Leverage Snyk to scan dependencies for known CVEs via SBOM analysis; use Trivy for container image scanning with vulnerability databases.
- Secrets Detection: Apply detect-secrets to scan files for patterns like API keys; use TruffleHog for Git history scans to find exposed secrets.
- Integration: Combine tools in a single workflow, e.g., run SAST on code changes and DAST on staging environments.
Usage Patterns
Always configure tools via environment variables for authentication (e.g., $ZAP_API_KEY for OWASP ZAP, $SNYK_TOKEN for Snyk). Start with a baseline scan on new projects, then automate in scripts.
- Pattern 1: For CI/CD, trigger SAST on pull requests and DAST on builds; example: Use GitHub Actions to run Semgrep on diffed files.
- Pattern 2: For local testing, chain tools sequentially—first run Trivy on Docker images, then Nuclei on URLs.
- Example 1: To scan a Python repo for SAST and secrets: Install tools, run Bandit on files, then detect-secrets; output results to a JSON report for parsing.
- Example 2: For a web app, perform DAST: Start OWASP ZAP in daemon mode, use
zap-clito scan a URL, and follow with Nuclei for specific exploits.
Common Commands/API
Use these exact commands in scripts or terminals; ensure dependencies are installed (e.g., via pip or Docker).
- OWASP ZAP (DAST): Start with
zap.sh -daemon -port 8080, then scan viazap-cli -p 8080 quick-scan --spider https://target.com --report html. API endpoint: POST to/JSON/core/action/newSession/with$ZAP_API_KEY. - Nuclei (DAST): Run
nuclei -t templates/ -u https://target.com -o results.txt; use config file likenuclei-config.yamlwith severity levels. - Semgrep (SAST): Execute
semgrep --config p/default --lang python .; customize with a.semgrep.ymlfile:rules: - id: no-os-system patterns: - pattern: os.system(...). - Bandit (SAST): Command:
bandit -r /path/to/code -f json; ignore paths via-x tests/. - Snyk (SCA): Authenticate with
$SNYK_TOKEN, thensnyk test --file=requirements.txt; API: GEThttps://snyk.io/api/v1/org/{orgId}/projectsfor project lists. - Trivy (SCA): Scan image:
trivy image myimage:latest --exit-code 1 --severity CRITICAL; config via.trivy.yamlwithignoreUnfixed: true. - detect-secrets (Secrets): Run
detect-secrets scan > .secrets.baseline; use with Git hook:detect-secrets hook --baseline .secrets.baseline. - TruffleHog (Secrets): Command:
trufflehog git https://github.com/repo --since-commit HEAD~1; filter with--regexfor patterns.
Integration Notes
Integrate via scripts or orchestration tools like Jenkins or GitHub Actions; pass outputs as JSON for chaining. For auth, set env vars like $TRIVY_USERNAME and $TRIVY_PASSWORD. Use Docker images (e.g., owasp/zap2docker-stable) for isolated runs. Config formats: YAML for Semgrep rules (e.g., { patterns: [pattern: "regex"] }), JSON for Snyk reports. Ensure tools are version-pinned (e.g., Semgrep v0.100.0) to avoid breaking changes.
Error Handling
Check exit codes after each command (e.g., Semgrep returns non-zero on findings); parse errors from stdout, like OWASP ZAP's JSON responses for "error" keys. Common issues: Network errors in DAST—retry with zap-cli --retries 3; authentication failures—verify env vars (e.g., if $SNYK_TOKEN is invalid, output "Auth error"). Log all outputs to files and handle via try-catch in scripts, e.g., in Bash: zap-cli quick-scan || echo "Scan failed: $?" >> error.log. For API calls, check HTTP status codes (e.g., 401 for unauthorized).
Graph Relationships
- Related to: "testing" cluster (e.g., links to unit-testing or integration-testing skills for combined workflows).
- Depends on: OWASP ZAP for DAST, Semgrep for SAST.
- Integrates with: Snyk API for SCA, TruffleHog for secrets in version control systems.