Domain 01 / 12

Code Analysis security audit

Scan the whole codebase and its dependencies — not just the diff — for vulnerabilities and supply-chain risk.

  • 41 checks
  • SAST · DAST · IAST · SCA · Supply chain

Run the audit See example checks

What securmyapp checks

Inside the Code Analysis domain

This is the Code Analysis domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Code Analysis domain audits your source and its dependencies end to end. securmyapp runs static analysis (SAST) across the entire repository, dynamic analysis (DAST) against the running app, software composition analysis (SCA) of direct and transitive dependencies, and a battery of supply-chain checks — from secrets buried in Git history to dependency confusion and build provenance.

Coverage areas

41 atomic checks span these sub-domains.

  • SAST

    Static analysis of the full codebase with Semgrep and 57 custom rules.

  • DAST

    Authenticated and unauthenticated scans of the running application.

  • IAST

    Instrumented data-flow correlation during functional tests.

  • SCA

    Direct & transitive dependency CVEs, EoL packages, licenses.

  • Supply chain

    Dependency confusion, typosquatting, SBOM, artifact signing, SLSA provenance.

  • Secrets & manual audit

    Committed secrets, backdoors, AI-generated code review.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Code Analysis security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Secrets in Git historyCriticalAPI keys and hardcoded passwords across the entire history.CWE-798 · MITRE T1552
SAST across the entire codebaseHighInjections, XSS, deserialization and weak crypto in legacy code.ASVS V15 · NIST SA-11
SCA of transitive dependenciesHighKnown CVEs buried in sub-dependencies.A06:2021 · ASVS V15
Dependency confusionHighInternal package names that a public namesake could supplant.CICD-SEC-3 · MITRE T1195
Behavioral analysis of packagesHighPackages that exfiltrate, download or obfuscate at install/runtime.MITRE T1195 · CWE-506
Analysis of AI-generated codeMediumInsecure patterns frequently produced by AI assistants.ASVS V1 · CWE-1177

Vulnerabilities we catch

  • Hardcoded API keys and passwords committed anywhere in Git history
  • Vulnerable direct and transitive dependencies (known CVEs)
  • Dependency confusion and typosquatting in the package tree
  • Dangerous constructs — eval, exec, deprecated and unsafe APIs
  • Missing SBOM, unsigned artifacts and builds without provenance
  • Backdoors, kill-switches and hidden conditions in the code

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Code Analysis — questions & answers

Does it scan the whole repository or only changed files?

The entire repository. A partial, diff-only scan lets legacy vulnerabilities slip through, so securmyapp runs SAST across the full codebase and resolves the complete dependency tree.

Which scanners power the code analysis?

Semgrep (plus 57 custom securmyapp rules) for SAST, Trivy for SCA and CVEs, and gitleaks for secrets in Git history. Each scanner is optional and degrades gracefully if it is not installed.

Can it review AI-generated code?

Yes. A dedicated check specifically reviews code produced by AI assistants, which often reintroduce known insecure patterns — a frequent blind spot for vibe coders.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.