Documentation · Beginner's guide
Getting started with securmyapp
This step-by-step guide is part of securmyapp, the free, open-source, 100% defensive security auditor for Claude Code. It takes you from zero to your first audit — no security expertise required. Follow the steps in order; plan about 20–30 minutes for the first install, then launching an audit takes one second.
- 20–30 min for first setup
- 598 checks · 12 domains
What you need
Everything below is free except the Claude plan. securmyapp's engine has zero dependencies to install — it works the moment you drop the skill folder in place, and if an optional scanner is missing, it simply tells you and carries on.
| Item | What it's for | Required? |
|---|---|---|
| Node.js (v18+) | Runs the skill's scanner engine | Required |
| Claude Code | The tool the skill runs in (terminal or Desktop) | Required |
| A paid Claude plan | Claude Code needs a paid plan (Pro, Max, Team…) | Required |
| Semgrep | The main scanner (code analysis) | Recommended |
| Playwright browser | Regression-tests that nothing broke after a fix | Recommended |
| Trivy · gitleaks · Checkov · nuclei | Extra scanners (deps, secrets, infra, web) | Optional |
1 · Install the prerequisites
Node.js (v18 or newer)
Check whether it's already installed — open a terminal and run:
node --version
If it prints v18 or higher, you're set. Otherwise install the LTS build from nodejs.org (Windows/macOS), or use your package manager (brew install node, apt install nodejs npm). Reopen your terminal afterwards.
Claude Code
Claude Code is the tool the skill runs in. Either option works — the skill behaves the same:
npm install -g @anthropic-ai/claude-code
…or install Claude Desktop and use its Code tab (claude.com/download). They share the same configuration, so a skill installed on one side is available on the other.
2 · Install the skill
The repository is the skill (its SKILL.md sits at the root), so installing is a single clone into your Claude Code skills folder — identical in the terminal and in Claude Desktop:
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp
Restart Claude Code and you're done: there's no marketplace to add, no MCP server to register, and nothing to reload. Claude picks up the skill automatically from its description.
<your-project>/.claude/skills/securmyapp instead. No git? Download the ZIP, unzip it, and copy the folder to ~/.claude/skills/securmyapp/ — make sure SKILL.md is directly inside it.node on desktop — the old “minimal PATH” problem simply doesn't apply.3 · Install the security scanners
Scanners are small, free tools that securmyapp drives to find vulnerabilities.
Semgrep — recommended (code analysis)
# macOS
brew install semgrep
# Linux / Windows (needs Python 3)
pipx install semgrep
semgrep --version
Playwright browser — recommended (regression tests)
After each fix, securmyapp opens a real browser to confirm your app still works. Install the browser once:
npx playwright install chromium
Optional scanners
| Scanner | What it finds | Install (macOS) |
|---|---|---|
| Trivy | Vulnerable dependencies, secrets, Docker images | brew install trivy |
| gitleaks | Secrets & passwords in Git history | brew install gitleaks |
| Checkov | Infrastructure misconfigurations (Terraform, K8s…) | pipx install checkov |
| nuclei | Vulnerabilities on the running site | brew install nuclei |
On Linux/Windows each has its own install page (search “install trivy”, etc.) or installs via pipx / your package manager. Verify what securmyapp detects with node ~/.claude/skills/securmyapp/scripts/scan.mjs doctor.
4 · Verify the installation
Two quick checks:
- Confirm the file is in place:
~/.claude/skills/securmyapp/SKILL.mdexists. - Run the bundled doctor — it lists which scanners were found:
node ~/.claude/skills/securmyapp/scripts/scan.mjs doctor
Then, in your project, ask Claude to “audit my app's security” (or type /securmyapp). If it starts the audit, the skill is picked up. Otherwise, see Troubleshooting.
5 · Run your first audit
- Make sure Claude Code is open in your project folder.
- Ideally, have your app running locally (e.g.
http://localhost:3000) so regression tests can run. If not, securmyapp asks for the URL once, or audits without the browser part. - Ask Claude to audit your app's security — or type the command:
/securmyapp
Then, on its own: scoping (detects your stack + captures a healthy baseline) → autonomous audit (it checks every security domain against the catalog) → report (posture score + findings by risk) → guided remediation (it proposes the first fix and stops for your decision). Nothing is changed without your approval.
6 · Read the report
The report looks like this:
# Report securmyapp — 2026-07-11
Posture: ############-------- 64/100
Critical: 0 High: 9 Medium: 6 Low: 1
- High SQL query built by concatenation routes.js:4 (CWE-89 | A03:2021)
- High Outbound request from user input routes.js:8 (CWE-918)
- Critical Fix first — full compromise possible.
- High Serious — fix quickly.
- Medium Should be fixed.
- Low Improvement / defense in depth.
The posture score /100 rises as you fix. Each line is one finding, with the file and line and the CWE/OWASP reference.
7 · Guided remediation
This is the heart of the tool. For every fix, the flow is always the same and safe:
- It explains the vulnerability and shows the proposed fix (before / after).
- It applies the fix, then makes a Git commit — so it's reversible.
- It re-opens your app in a real browser and checks nothing broke vs. the baseline.
- It stops and asks you — the checkpoint, with 3 choices: ✅ approve · ❌ reject (roll back) · ✍️ say exactly what to do.
- It writes a memory note, then moves to the next finding.
/securmyapp again.Troubleshooting
Claude doesn't use the skill
Confirm the file is at ~/.claude/skills/securmyapp/SKILL.md (the folder must be named securmyapp with SKILL.md directly inside it). Restart Claude Code, then ask explicitly: “use the securmyapp skill to audit my app”. Also make sure Claude Code is up to date:
npm install -g @anthropic-ai/claude-code@latest
node: command not found when a scanner runs
Node.js isn't on your PATH. Install it from nodejs.org (or your package manager) and reopen your terminal. Check with node --version.
“scanner missing” in the report
Not a blocking error — securmyapp continues. Install the relevant scanner (step 3) to enable that part of the analysis. See what's detected with node ~/.claude/skills/securmyapp/scripts/scan.mjs doctor.
Frequently asked questions
Is my code or are my secrets sent anywhere?
No. The analysis engine runs entirely on your machine over a local stdio protocol. Nothing is uploaded — by design, securmyapp checks and fixes your code exactly where it lives.
Is this a hacking tool for attacking sites?
No — it is strictly defensive. It verifies your own application and provides fixes. It never produces an attack procedure, an offensive payload, or an exploitation method.
Is it free?
securmyapp and the scanners are free and open source under the MIT license. You only need Claude Code with a paid Claude plan to run it.
I don't know anything about security — can I use it?
Yes, that is exactly what it is for. The tool explains every vulnerability in plain language, proposes the fix, applies it with your approval, and checks that nothing broke.
What kinds of projects does it work on?
Web, SaaS, APIs, back-end and front-end apps, mobile, infrastructure/cloud and CI/CD. It detects your stack and only runs the checks that are relevant to your project.
How many checks does it run?
598 atomic checks across 12 domains, aligned with OWASP (WSTG, ASVS 5.0, API Security Top 10, MASVS), CIS Benchmarks, MITRE ATT&CK and CWE.
Do I have to install every scanner?
No. Semgrep alone is enough to get started (code analysis). The others (Trivy, gitleaks, Checkov, nuclei) add extra layers and are optional — securmyapp works with whatever is installed and flags what is missing.
Uninstall / update
Update to the latest version — pull inside the skill folder:
cd ~/.claude/skills/securmyapp
git pull
Uninstall — just remove the folder:
rm -rf ~/.claude/skills/securmyapp
On Windows, delete %USERPROFILE%\.claude\skills\securmyapp. To disable without deleting, rename the folder (e.g. add a .off suffix) and restart Claude Code.
Get started
Audit your app in the next five minutes
Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.