AI代码安全审计工具 - 智能漏洞扫描与误报过滤 | GitHub Actions集成

code-security-audit by leonmelamud/claude-code-security-review

123 周安装量

2 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/leonmelamud/claude-code-security-review --skill code-security-audit

自动化开发运维安全

🇨🇳中文介绍

代码安全审计

基于人工智能的代码变更安全审计，具备误报过滤功能。基于 claude-code-security-review。

捆绑资源

claude-code-security-review/
├── SKILL.md                          # 本文件 — 工作流程和说明
├── action.yml                        # GitHub Actions 复合操作定义
├── claudecode/                       # Python 包 (导入: from claudecode.*)
│   ├── __init__.py                   # 包初始化 — 重新导出主要入口点
│   ├── audit.py                      # 入口点 — 包装 github_action_audit
│   ├── github_action_audit.py        # GitHub Action 审计运行器 (PR 获取, Claude 运行器, 过滤管道)
│   ├── prompts.py                    # 安全审计提示模板
│   ├── findings_filter.py            # 硬性排除规则 + Claude API 误报过滤
│   ├── claude_api_client.py          # 用于单条发现项分析的 Claude API 客户端
│   ├── json_parser.py               # 从文本中稳健提取 JSON (代码块, 嵌套花括号)
│   ├── constants.py                  # 配置: 模型名称, 超时时间, 令牌限制, 退出代码
│   ├── logger.py                     # 带 GitHub 上下文前缀的标准错误日志
│   ├── requirements.txt              # Python 依赖: anthropic, requests, PyGithub
│   └── evals/                        # 评估框架
│       ├── run_eval.py               # CLI: python -m claudecode.evals.run_eval owner/repo#123
│       └── eval_engine.py            # Git 工作树管理 + SAST 运行器
├── scripts/                          # 独立脚本 (非 Python 包)
│   └── comment-pr-findings.js        # 将发现项作为 PR 审查评论发布的 Node.js 脚本
├── references/                       # 按需加载到上下文中的知识
│   ├── false-positive-filtering.md   # 20 条硬性排除规则, 信号质量标准, 12 个先例
│   ├── custom-scan-instructions.md   # 行业模板 (合规, 金融服务, 电子商务, GraphQL)
│   ├── custom-false-positive-filtering.txt   # 自定义误报过滤规则示例
│   └── custom-security-scan-instructions.txt # 自定义扫描类别示例
└── assets/                           # 输出中使用的文件
    └── security-review-command.md    # Claude Code /security-review 斜杠命令模板

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

手动审计工作流程

在直接审计代码变更时使用此流程 (无需 CI 脚本)。

git diff --merge-base origin/main        # 分支差异
git diff --cached                         # 已暂存的变更
git diff HEAD~N                           # 最近 N 次提交
git diff --name-only origin/main...       # 列出修改的文件

阶段 1 — 上下文研究: 识别代码库中的安全框架、ORM、身份验证库、清理模式和信任边界。

阶段 2 — 比较分析: 将新代码与已建立的安全模式进行比较。标记偏差、不一致之处和新的攻击面。

阶段 3 — 漏洞评估: 检查每个修改过的文件是否存在以下问题：

输入验证: SQL 注入、命令注入、XXE、模板注入、NoSQL 注入、路径遍历
身份验证与授权: 身份验证绕过、权限提升、会话缺陷、JWT 漏洞
加密与密钥: 硬编码的密钥/令牌、弱算法、密钥存储不当
代码执行: 通过反序列化、pickle/YAML 注入、eval 注入、XSS 导致的 RCE
数据泄露: 敏感数据记录、PII 违规、API 泄漏、调试信息暴露

追踪从用户输入到敏感操作的数据流。寻找权限边界跨越。

加载 references/false-positive-filtering.md 并应用所有规则。为每个发现项分配 1-10 的置信度；仅保留置信度 ≥ 8 的发现项。

对于特定领域的类别，加载 references/custom-scan-instructions.md。

# 漏洞 N: [类别]: `file.ts:42`

* 严重性: 高 | 中
* 置信度: 8/10
* 描述: [漏洞是什么]
* 利用场景: [具体的攻击路径]
* 建议: [具体的修复方案]

GitHub Action 集成

通过 CI 在 PR 上运行自动化安全审计。需要 ANTHROPIC_API_KEY 和 GITHUB_TOKEN。

pip install -r claudecode/requirements.txt

变量	是否必需	用途
`ANTHROPIC_API_KEY`	是	Claude API 访问权限
`GITHUB_TOKEN`	是	用于获取 PR 数据的 GitHub API 访问权限
`GITHUB_REPOSITORY`	是	`所有者/仓库` 格式
`PR_NUMBER`	是	拉取请求编号
`EXCLUDE_DIRECTORIES`	否	要跳过的目录，以逗号分隔
`ENABLE_CLAUDE_FILTERING`	否	`true` 表示使用 Claude API 进行误报过滤
`FALSE_POSITIVE_FILTERING_INSTRUCTIONS`	否	自定义过滤规则文件路径
`CUSTOM_SECURITY_SCAN_INSTRUCTIONS`	否	自定义扫描类别文件路径

python claudecode/audit.py

输出为 JSON 格式，包含 findings、analysis_summary 和 filtering_summary。

GitHub Actions 工作流程

name: 安全审查
permissions:
  pull-requests: write
  contents: read
on:
  pull_request:
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 2
      - uses: anthropics/claude-code-security-review@main
        with:
          comment-pr: true
          claude-api-key: ${{ secrets.CLAUDE_API_KEY }}

将发现项作为内联审查评论发布：

node scripts/comment-pr-findings.js

从当前工作目录读取 findings.json。需要 GITHUB_TOKEN 和 GITHUB_EVENT_PATH。

自定义文件示例

查看 references/ 目录中的示例自定义文件：

references/custom-false-positive-filtering.txt — 自定义误报过滤规则模板
references/custom-security-scan-instructions.txt — 自定义扫描类别模板

针对任何公共 PR 测试审计功能：

export ANTHROPIC_API_KEY=sk-...
python -m claudecode.evals.run_eval owner/repo#123 --verbose

结果以 JSON 格式保存到 ./eval_results/，包含发现项、运行时间和成功状态。

将 assets/security-review-command.md 复制到任何项目的 .claude/commands/security-review.md 中，即可在 Claude Code 中启用 /security-review 命令。

最小化误报 — 仅标记可利用率 >80% 置信度的问题
跳过噪音 — 不报告理论性问题、风格问题或低影响发现项
关注影响 — 优先处理未经授权的访问、数据泄露、系统被攻陷
仅关注新问题 — 不对已存在的安全问题发表评论
宁可遗漏理论性问题，也不要充斥误报

高 : 可直接利用 → RCE、数据泄露、身份验证绕过
中 : 需要特定条件但影响重大
不报告低严重性发现项

🇺🇸English

Code Security Audit

AI-powered security audit for code changes with false positive filtering. Based on claude-code-security-review.

Bundled Resources

claude-code-security-review/
├── SKILL.md                          # This file — workflow and instructions
├── action.yml                        # GitHub Actions composite action definition
├── claudecode/                       # Python package (imports: from claudecode.*)
│   ├── __init__.py                   # Package init — re-exports main entry points
│   ├── audit.py                      # Entry point — wraps github_action_audit
│   ├── github_action_audit.py        # GitHub Action audit runner (PR fetch, Claude runner, filter pipeline)
│   ├── prompts.py                    # Security audit prompt templates
│   ├── findings_filter.py            # Hard exclusion rules + Claude API false positive filtering
│   ├── claude_api_client.py          # Claude API client for single-finding analysis
│   ├── json_parser.py               # Robust JSON extraction from text (code blocks, nested braces)
│   ├── constants.py                  # Config: model name, timeouts, token limits, exit codes
│   ├── logger.py                     # Stderr logging with GitHub context prefix
│   ├── requirements.txt              # Python deps: anthropic, requests, PyGithub
│   └── evals/                        # Evaluation framework
│       ├── run_eval.py               # CLI: python -m claudecode.evals.run_eval owner/repo#123
│       └── eval_engine.py            # Git worktree management + SAST runner
├── scripts/                          # Standalone scripts (non-Python-package)
│   └── comment-pr-findings.js        # Node.js script to post findings as PR review comments
├── references/                       # Knowledge loaded into context as needed
│   ├── false-positive-filtering.md   # 20 hard exclusions, signal quality criteria, 12 precedents
│   ├── custom-scan-instructions.md   # Industry templates (compliance, finserv, e-commerce, GraphQL)
│   ├── custom-false-positive-filtering.txt   # Example custom FP filtering rules
│   └── custom-security-scan-instructions.txt # Example custom scan categories
└── assets/                           # Files used in output
    └── security-review-command.md    # Claude Code /security-review slash command template

Manual Audit Workflow

Use this when auditing code changes directly (without CI scripts).

1. Gather Changes

git diff --merge-base origin/main        # Branch diff
git diff --cached                         # Staged changes
git diff HEAD~N                           # Last N commits
git diff --name-only origin/main...       # List modified files

2. Three-Phase Analysis

Phase 1 — Context Research: Identify security frameworks, ORMs, auth libraries, sanitization patterns, and trust boundaries in the codebase.

Phase 2 — Comparative Analysis: Compare new code against established secure patterns. Flag deviations, inconsistencies, and new attack surfaces.

Phase 3 — Vulnerability Assessment: Check each modified file for:

Input Validation: SQL injection, command injection, XXE, template injection, NoSQL injection, path traversal
Auth & Authz: Auth bypass, privilege escalation, session flaws, JWT vulnerabilities
Crypto & Secrets: Hardcoded keys/tokens, weak algorithms, improper key storage
Code Execution: RCE via deserialization, pickle/YAML injection, eval injection, XSS
Data Exposure: Sensitive data logging, PII violations, API leakage, debug exposure

Trace data flow from user inputs to sensitive operations. Look for privilege boundary crossings.

3. Filter False Positives

Load references/false-positive-filtering.md and apply all rules. Assign confidence 1-10 per finding; only keep findings with confidence ≥ 8.

For domain-specific categories, load references/custom-scan-instructions.md.

4. Output Format

# Vuln N: [Category]: `file.ts:42`

* Severity: HIGH | MEDIUM
* Confidence: 8/10
* Description: [What the vulnerability is]
* Exploit Scenario: [Concrete attack path]
* Recommendation: [Specific fix]

GitHub Action Integration

Run automated security audits on PRs via CI. Requires ANTHROPIC_API_KEY and GITHUB_TOKEN.

Setup

pip install -r claudecode/requirements.txt

Environment Variables

Variable	Required	Purpose
`ANTHROPIC_API_KEY`	Yes	Claude API access
`GITHUB_TOKEN`	Yes	GitHub API access for PR data
`GITHUB_REPOSITORY`	Yes	`owner/repo` format
`PR_NUMBER`	Yes	Pull request number
`EXCLUDE_DIRECTORIES`

Run

python claudecode/audit.py

Output is JSON with findings, analysis_summary, and filtering_summary.

GitHub Actions Workflow

name: Security Review
permissions:
  pull-requests: write
  contents: read
on:
  pull_request:
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 2
      - uses: anthropics/claude-code-security-review@main
        with:
          comment-pr: true
          claude-api-key: ${{ secrets.CLAUDE_API_KEY }}

PR Commenting

Post findings as inline review comments:

node scripts/comment-pr-findings.js

Reads findings.json from cwd. Requires GITHUB_TOKEN and GITHUB_EVENT_PATH.

Example Customization Files

See references/ for sample customization files:

references/custom-false-positive-filtering.txt — Template for custom FP filtering rules
references/custom-security-scan-instructions.txt — Template for custom scan categories

Evaluation Framework

Test the audit against any public PR:

export ANTHROPIC_API_KEY=sk-...
python -m claudecode.evals.run_eval owner/repo#123 --verbose

Results saved to ./eval_results/ as JSON with findings, runtime, and success status.

Slash Command

Copy assets/security-review-command.md to .claude/commands/security-review.md in any project to enable /security-review in Claude Code.

Key Principles

Minimize false positives — only flag issues with >80% confidence of exploitability
Skip noise — no theoretical issues, style concerns, or low-impact findings
Focus on impact — prioritize unauthorized access, data breaches, system compromise
Only new issues — do not comment on pre-existing security concerns
Better to miss theoretical issues than flood with false positives

Severity Guidelines

HIGH : Directly exploitable → RCE, data breach, auth bypass
MEDIUM : Requires specific conditions but significant impact
Do NOT report LOW severity findings

Weekly Installs

105

Repository

leonmelamud/cla…y-review

GitHub Stars

First Seen

Feb 22, 2026

Security Audits

Gen Agent Trust HubPass SocketWarn SnykWarn

Installed on

github-copilot104

kimi-cli101

gemini-cli101

amp101

codex101

opencode101

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

138,800 周安装

AI代码安全审计工具 - 智能漏洞扫描与误报过滤 | GitHub Actions集成

🇨🇳中文介绍

代码安全审计

捆绑资源

相关 Skills

手动审计工作流程

1. 收集变更

2. 三阶段分析

3. 过滤误报

4. 输出格式