Domain 01 / 12
Code Analysis security audit
Scan the whole codebase and its dependencies — not just the diff — for vulnerabilities and supply-chain risk.
- 41 checks
- SAST · DAST · IAST · SCA · Supply chain
What securmyapp checks
Inside the Code Analysis domain
This is the Code Analysis domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Code Analysis domain audits your source and its dependencies end to end. securmyapp runs static analysis (SAST) across the entire repository, dynamic analysis (DAST) against the running app, software composition analysis (SCA) of direct and transitive dependencies, and a battery of supply-chain checks — from secrets buried in Git history to dependency confusion and build provenance.
Coverage areas
41 atomic checks span these sub-domains.
SAST
Static analysis of the full codebase with Semgrep and 57 custom rules.
DAST
Authenticated and unauthenticated scans of the running application.
IAST
Instrumented data-flow correlation during functional tests.
SCA
Direct & transitive dependency CVEs, EoL packages, licenses.
Supply chain
Dependency confusion, typosquatting, SBOM, artifact signing, SLSA provenance.
Secrets & manual audit
Committed secrets, backdoors, AI-generated code review.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Secrets in Git history | Critical | API keys and hardcoded passwords across the entire history. | CWE-798 · MITRE T1552 |
| SAST across the entire codebase | High | Injections, XSS, deserialization and weak crypto in legacy code. | ASVS V15 · NIST SA-11 |
| SCA of transitive dependencies | High | Known CVEs buried in sub-dependencies. | A06:2021 · ASVS V15 |
| Dependency confusion | High | Internal package names that a public namesake could supplant. | CICD-SEC-3 · MITRE T1195 |
| Behavioral analysis of packages | High | Packages that exfiltrate, download or obfuscate at install/runtime. | MITRE T1195 · CWE-506 |
| Analysis of AI-generated code | Medium | Insecure patterns frequently produced by AI assistants. | ASVS V1 · CWE-1177 |
Vulnerabilities we catch
- Hardcoded API keys and passwords committed anywhere in Git history
- Vulnerable direct and transitive dependencies (known CVEs)
- Dependency confusion and typosquatting in the package tree
- Dangerous constructs — eval, exec, deprecated and unsafe APIs
- Missing SBOM, unsigned artifacts and builds without provenance
- Backdoors, kill-switches and hidden conditions in the code
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Code Analysis — questions & answers
Does it scan the whole repository or only changed files?
The entire repository. A partial, diff-only scan lets legacy vulnerabilities slip through, so securmyapp runs SAST across the full codebase and resolves the complete dependency tree.
Which scanners power the code analysis?
Semgrep (plus 57 custom securmyapp rules) for SAST, Trivy for SCA and CVEs, and gitleaks for secrets in Git history. Each scanner is optional and degrades gracefully if it is not installed.
Can it review AI-generated code?
Yes. A dedicated check specifically reviews code produced by AI assistants, which often reintroduce known insecure patterns — a frequent blind spot for vibe coders.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.