Documentation · Beginner's guide

Getting started with securmyapp

This step-by-step guide is part of securmyapp, the free, open-source, 100% defensive security auditor for Claude Code. It takes you from zero to your first audit — no security expertise required. Follow the steps in order; plan about 20–30 minutes for the first install, then launching an audit takes one second.

  • 20–30 min for first setup
  • 598 checks · 12 domains

Start the setup GitHub

What you need

Everything below is free except the Claude plan. securmyapp's engine has zero dependencies to install — it works the moment you drop the skill folder in place, and if an optional scanner is missing, it simply tells you and carries on.

What you need to run securmyapp.
ItemWhat it's forRequired?
Node.js (v18+)Runs the skill's scanner engineRequired
Claude CodeThe tool the skill runs in (terminal or Desktop)Required
A paid Claude planClaude Code needs a paid plan (Pro, Max, Team…)Required
SemgrepThe main scanner (code analysis)Recommended
Playwright browserRegression-tests that nothing broke after a fixRecommended
Trivy · gitleaks · Checkov · nucleiExtra scanners (deps, secrets, infra, web)Optional

1 · Install the prerequisites

Node.js (v18 or newer)

Check whether it's already installed — open a terminal and run:

Terminal
node --version

If it prints v18 or higher, you're set. Otherwise install the LTS build from nodejs.org (Windows/macOS), or use your package manager (brew install node, apt install nodejs npm). Reopen your terminal afterwards.

Claude Code

Claude Code is the tool the skill runs in. Either option works — the skill behaves the same:

Terminal (CLI)
npm install -g @anthropic-ai/claude-code

…or install Claude Desktop and use its Code tab (claude.com/download). They share the same configuration, so a skill installed on one side is available on the other.

Claude Code requires a paid Claude plan (Pro, Max, Team…). It doesn't run on the free tier.

2 · Install the skill

The repository is the skill (its SKILL.md sits at the root), so installing is a single clone into your Claude Code skills folder — identical in the terminal and in Claude Desktop:

One command
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp

Restart Claude Code and you're done: there's no marketplace to add, no MCP server to register, and nothing to reload. Claude picks up the skill automatically from its description.

Project-only install (committed with a repo, shared with your team): clone into <your-project>/.claude/skills/securmyapp instead. No git? Download the ZIP, unzip it, and copy the folder to ~/.claude/skills/securmyapp/ — make sure SKILL.md is directly inside it.
Because the scanners run through a bundled script (via the Bash tool), there is no MCP server that could fail to find node on desktop — the old “minimal PATH” problem simply doesn't apply.

3 · Install the security scanners

Scanners are small, free tools that securmyapp drives to find vulnerabilities.

To start, just install Semgrep (the most important one). The rest are optional and you can add them later. Without them, securmyapp still runs — it just reports “scanner missing” for those parts.

Semgrep — recommended (code analysis)

Install Semgrep
# macOS
brew install semgrep

# Linux / Windows (needs Python 3)
pipx install semgrep

semgrep --version

Playwright browser — recommended (regression tests)

After each fix, securmyapp opens a real browser to confirm your app still works. Install the browser once:

Terminal
npx playwright install chromium

Optional scanners

Optional securmyapp scanners.
ScannerWhat it findsInstall (macOS)
TrivyVulnerable dependencies, secrets, Docker imagesbrew install trivy
gitleaksSecrets & passwords in Git historybrew install gitleaks
CheckovInfrastructure misconfigurations (Terraform, K8s…)pipx install checkov
nucleiVulnerabilities on the running sitebrew install nuclei

On Linux/Windows each has its own install page (search “install trivy”, etc.) or installs via pipx / your package manager. Verify what securmyapp detects with node ~/.claude/skills/securmyapp/scripts/scan.mjs doctor.

4 · Verify the installation

Two quick checks:

  • Confirm the file is in place: ~/.claude/skills/securmyapp/SKILL.md exists.
  • Run the bundled doctor — it lists which scanners were found:
Terminal
node ~/.claude/skills/securmyapp/scripts/scan.mjs doctor

Then, in your project, ask Claude to “audit my app's security” (or type /securmyapp). If it starts the audit, the skill is picked up. Otherwise, see Troubleshooting.

5 · Run your first audit

  1. Make sure Claude Code is open in your project folder.
  2. Ideally, have your app running locally (e.g. http://localhost:3000) so regression tests can run. If not, securmyapp asks for the URL once, or audits without the browser part.
  3. Ask Claude to audit your app's security — or type the command:
Terminal
/securmyapp

Then, on its own: scoping (detects your stack + captures a healthy baseline) → autonomous audit (it checks every security domain against the catalog) → report (posture score + findings by risk) → guided remediation (it proposes the first fix and stops for your decision). Nothing is changed without your approval.

The first audit can take a few minutes depending on project size and installed scanners. That's normal.

6 · Read the report

The report looks like this:

Report
# Report securmyapp — 2026-07-11

Posture: ############--------  64/100

Critical: 0   High: 9   Medium: 6   Low: 1

- High   SQL query built by concatenation   routes.js:4  (CWE-89 | A03:2021)
- High   Outbound request from user input   routes.js:8  (CWE-918)
  • Critical Fix first — full compromise possible.
  • High Serious — fix quickly.
  • Medium Should be fixed.
  • Low Improvement / defense in depth.

The posture score /100 rises as you fix. Each line is one finding, with the file and line and the CWE/OWASP reference.

You don't need to understand everything. securmyapp explains each finding in plain language when it's time to fix it.

7 · Guided remediation

This is the heart of the tool. For every fix, the flow is always the same and safe:

  1. It explains the vulnerability and shows the proposed fix (before / after).
  2. It applies the fix, then makes a Git commit — so it's reversible.
  3. It re-opens your app in a real browser and checks nothing broke vs. the baseline.
  4. It stops and asks you — the checkpoint, with 3 choices: ✅ approve · ❌ reject (roll back) · ✍️ say exactly what to do.
  5. It writes a memory note, then moves to the next finding.
Built-in safety. No fix is auto-approved — you decide every time. Every fix is a reversible Git commit. Irreversible actions (rotating a secret, deleting a resource, dropping a database…) are blocked until you explicitly approve. You can stop anytime and resume later by running /securmyapp again.

Troubleshooting

Claude doesn't use the skill

Confirm the file is at ~/.claude/skills/securmyapp/SKILL.md (the folder must be named securmyapp with SKILL.md directly inside it). Restart Claude Code, then ask explicitly: “use the securmyapp skill to audit my app”. Also make sure Claude Code is up to date:

Terminal
npm install -g @anthropic-ai/claude-code@latest

node: command not found when a scanner runs

Node.js isn't on your PATH. Install it from nodejs.org (or your package manager) and reopen your terminal. Check with node --version.

“scanner missing” in the report

Not a blocking error — securmyapp continues. Install the relevant scanner (step 3) to enable that part of the analysis. See what's detected with node ~/.claude/skills/securmyapp/scripts/scan.mjs doctor.

Stuck? Inside Claude Code you can just ask: “the securmyapp skill isn't triggering, what's wrong?” — it can inspect the folder and help.

Frequently asked questions

Is my code or are my secrets sent anywhere?

No. The analysis engine runs entirely on your machine over a local stdio protocol. Nothing is uploaded — by design, securmyapp checks and fixes your code exactly where it lives.

Is this a hacking tool for attacking sites?

No — it is strictly defensive. It verifies your own application and provides fixes. It never produces an attack procedure, an offensive payload, or an exploitation method.

Is it free?

securmyapp and the scanners are free and open source under the MIT license. You only need Claude Code with a paid Claude plan to run it.

I don't know anything about security — can I use it?

Yes, that is exactly what it is for. The tool explains every vulnerability in plain language, proposes the fix, applies it with your approval, and checks that nothing broke.

What kinds of projects does it work on?

Web, SaaS, APIs, back-end and front-end apps, mobile, infrastructure/cloud and CI/CD. It detects your stack and only runs the checks that are relevant to your project.

How many checks does it run?

598 atomic checks across 12 domains, aligned with OWASP (WSTG, ASVS 5.0, API Security Top 10, MASVS), CIS Benchmarks, MITRE ATT&CK and CWE.

Do I have to install every scanner?

No. Semgrep alone is enough to get started (code analysis). The others (Trivy, gitleaks, Checkov, nuclei) add extra layers and are optional — securmyapp works with whatever is installed and flags what is missing.

Uninstall / update

Update to the latest version — pull inside the skill folder:

Terminal
cd ~/.claude/skills/securmyapp
git pull

Uninstall — just remove the folder:

Terminal
rm -rf ~/.claude/skills/securmyapp

On Windows, delete %USERPROFILE%\.claude\skills\securmyapp. To disable without deleting, rename the folder (e.g. add a .off suffix) and restart Claude Code.

Back to the securmyapp home page

Get started

Audit your app in the next five minutes

Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.

Install — one command
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.