Security Testing

Security scans MUST be run as part of post-generation verification (agenticdevelopercookbook://guidelines/testing/post-generation-verification). These are CLI tools Claude Code can invoke directly.

Static Analysis (SAST):

  • Semgrep — all languages: semgrep scan --config=auto .
  • Bandit — Python: bandit -r src/
  • CodeQL — deep analysis (Swift, Kotlin, C#, Python, TS, Go)

Dependency Scanning:

  • Python: pip-audit
  • Node.js: npm audit
  • .NET: dotnet list package --vulnerable
  • All: Snyk CLI (snyk test)

Dynamic Analysis (DAST):

  • OWASP ZAP — scan running web services: zap-cli quick-scan http://localhost:8888

See agenticdevelopercookbook://guidelines/implementing/security/* (Security Guidelines) for the full security reference.

version
1.0.3
platforms
csharp, kotlin, python, swift, typescript, web
tags
security-testing, testing
author
Mike Fullerton
modified
2026-06-09
references
codeql.github.comgithub.com/PyCQA/banditsemgrep.devsnyk.iozaproxy.org

Change History

Version Date Author Summary
1.0.3 2026-06-09 Mike Fullerton Repair stale cross-reference link scheme
1.0.2 2026-04-09 Mike Fullerton Add trigger tags
1.0.1 2026-04-09 Mike Fullerton Reorganize into use-case directory
1.0.0 2026-03-27 Mike Fullerton Initial creation