🛡️ Claude Code skill · Defensive security

Audit and fix your app's security — in one command.

securmyapp is a free, open-source, 100% defensive security auditor delivered as a single Claude Code Agent Skill. It runs 598 security checks across 12 domains — aligned with OWASP, CIS, MITRE and CWE — then walks you through fixing every vulnerability one by one, with human validation and real browser regression tests so nothing breaks.

Get started free Explore the 12 domains

  • 598 checks
  • 12 domains
  • 100% defensive
  • Local & private
  • MIT · open source
Example securmyapp report: a security posture score of 64 out of 100 with findings listed by severity.
/securmyapp # Report securmyapp — 2026-07-12   Posture: ████████████░░░░░░░░ 64/100   🔴 Critical: 0 🟠 High: 9 🟡 Medium: 6 🔵 Low: 1   🟠 SQL query built by concatenation routes.js:4 (CWE-89 | A03:2021) 🟠 Outbound request from user input routes.js:8 (CWE-918 | A10:2021) 🟠 JWT verified without fixed alg routes.js:9 (CWE-347 | A02:2021) 🟡 Weak hash (MD5/SHA1) util.py:5 (CWE-327 | A02:2021) 🔵 Raw HTML assignment to the DOM routes.js:6 (CWE-79) …score rises as you fix, one by one.

Aligned with the reference security standards

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

Why securmyapp

Security that keeps up with the speed of AI coding

Built for developers and vibe coders who don't master application security — no expertise required.

  • Shipping fast, secured never

    AI lets you ship an app in days — but security doesn't improvise. SQLi, XSS, exposed secrets, broken JWTs, SSRF and vulnerable dependencies slip past a developer in a hurry.

  • Existing tools are painful

    They're either too complex (experts only), too partial (one scanner, one job), or they dump a list of flaws and never help you fix them.

  • securmyapp fills the gap

    One gesture runs a complete audit, finds everything across 12 domains, then fixes each issue with you — explained simply, committed safely, and regression-tested in a real browser.

How it works

One command. Two phases. Zero surprises.

From a single /securmyapp, an autonomous audit runs first — then guided remediation, always with your approval.

Phase 1 · Autonomous audit

🔬 It scans, without you

  • Scoping — detects your stack and captures a healthy baseline for regression testing.
  • Full-codebase analysis — every security domain is checked against the 598-point catalog.
  • Report — a posture score /100 and a remediation queue sorted by risk.

Phase 2 · Guided remediation

🛠️ You fix, safely

  • Every finding follows the same loop — explain, fix, commit, browser-test, checkpoint, remember.
  • A 3-choice checkpoint: ✅ approve · ❌ reject (roll back) · ✍️ say exactly what to do.
  • Irreversible actions are blocked until you explicitly approve them.
  1. Explain

    The vulnerability is described in clear language with its CWE / OWASP reference.

  2. Fix

    A concrete, minimal fix is proposed for the exact file and line.

  3. Commit

    The change lands as an atomic, reversible Git commit.

  4. Browser test

    A real browser re-runs the flow against a healthy baseline (non-regression).

  5. Checkpoint

    You decide: ✅ approve · ❌ reject (roll back) · ✍️ say exactly what to do.

  6. Memory

    Progress is saved, then securmyapp moves to the next finding.

Features

Everything you need to ship secure — and nothing you don't

  • One single action

    Type /securmyapp and the full audit starts on its own — no config, no security expertise required.

  • Finds everything

    598 atomic checks across 12 domains, aligned with OWASP, CIS, MITRE and CWE — the whole codebase, not just the diff.

  • Finds and fixes

    Every vulnerability is explained in plain language, then fixed with your approval — one by one, never in bulk.

  • Never breaks your app

    After each fix, a real browser (Playwright) verifies the app still works, and every change is a reversible Git commit.

  • 100% defensive

    It verifies and repairs your own app. It never produces an attack procedure, payload, or exploitation method.

  • Local & private

    The analysis engine runs entirely on your machine over stdio. No code and no secret is ever sent to a third party.

  • Zero dependency

    One drop-in folder — no marketplace, no MCP server, no npm install. Optional scanners degrade gracefully when absent.

  • Resumable memory

    Progress is written after each fix, so you can stop the audit and pick it up again at any time.

Coverage

598 atomic checks, mapped to real standards

Each check is tied to a recognized reference — OWASP, CIS, MITRE or CWE — and to a concrete fix.

  • 598Security checks
  • 12Domains covered
  • 57Custom Semgrep rules
  • 7Standards frameworks

Findings by severity

  • Critical · 32
  • High · 212
  • Medium · 265
  • Low · 89

Orchestrated scanners

Best-in-class open-source engines, normalized into one report

Driven by a local, zero-dependency CLI that securmyapp runs directly. Each scanner is optional — it works with what's installed and flags what's missing.

  • SemgrepStatic code analysis (SAST) + 57 custom securmyapp rules
  • TrivyDependencies (SCA), secrets, misconfigurations, images
  • gitleaksSecrets committed in Git history
  • CheckovInfrastructure as Code (Terraform, K8s, Dockerfile)
  • nucleiRunning HTTP surface (DAST baseline)

🛡️ Strictly defensive

It repairs your app. It never attacks.

securmyapp is a 100% defensive tool. It verifies your own application and provides fixes. It never produces an exploitation procedure, an offensive payload, or an attack method.

🔒 Local & private

Your code never leaves your machine.

The analysis engine runs entirely on your machine over a local stdio protocol. No code and no secret is sent to any third party — by design.

FAQ

Frequently asked questions

What is securmyapp?

securmyapp is a free, open-source, defensive security auditor delivered as a single Claude Code Agent Skill. It runs 598 security checks across 12 domains, explains every finding in plain language, and guides you to fix each one — with mandatory human validation and real browser regression tests.

How do I install it?

One command: clone the repository into your Claude Code skills folder — git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp — then ask Claude to "audit my app's security" (or type /securmyapp). No marketplace, no MCP server, no npm install, no reload.

How many security checks does it run?

598 atomic checks organized into 12 domains, aligned with OWASP (WSTG, ASVS 5.0, API Security Top 10, MASVS), CIS Benchmarks, MITRE ATT&CK and CWE. The severity breakdown is 32 Critical, 212 High, 265 Medium and 89 Low.

Is my code sent anywhere?

No. The analysis engine runs entirely on your machine over a local stdio protocol. No code and no secret leaves your environment — securmyapp checks and fixes your app exactly where it lives.

Is it offensive or defensive?

100% defensive. securmyapp is designed to verify and repair your own application and to provide fixes. It never produces an exploitation procedure, an offensive payload, or an attack method.

Will it break my application?

It is built not to. After every fix, a real browser (Playwright) checks the app against a healthy baseline, each change is an atomic reversible Git commit, and irreversible actions (secret rotation, resource deletion, DROP…) are blocked until you explicitly approve them.

What do I need to run it?

Node.js 18+, Claude Code (terminal or the Claude Desktop Code tab) and a paid Claude subscription. Semgrep and the Playwright browser are recommended; Trivy, gitleaks, Checkov and nuclei are optional and used when present.

How much does it cost?

securmyapp is free and open source under the MIT license, including for commercial use. You only need Claude Code with a paid Claude plan to run it.

Get started

Audit your app in the next five minutes

Clone the skill into ~/.claude/skills/, then ask Claude to audit your app (or type /securmyapp). The full audit starts on its own.

Install — one command
git clone https://github.com/mafady/securmyapp ~/.claude/skills/securmyapp

View on GitHub Browse the domains

New to Claude Code? Follow the step-by-step getting started guide.

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.