Clover — Claude Code Security Plugin
Automatically reviews implementation plans for security requirements before code is written.
How it works
When you exit plan mode in Claude Code, Clover intercepts the plan, sends it for security analysis, and injects any missing security requirements back into the plan before implementation begins.
Install
1. Add the Clover marketplace:
claude plugin marketplace add https://github.com/clover-security/clover-claude-plugin.git
2. Install the plugin:
claude plugin install clover
You'll be prompted for:
- server_url — your Clover API server URL (e.g.
https://app.cloversec.io)
- auth_url — your Frontegg auth URL (e.g.
https://clover.frontegg.com)
- client_id — API client ID (from Clover Settings > API Tokens)
- client_secret — API client secret
What happens
- You create a plan in Claude Code
- When you exit plan mode → Clover reviews the plan
- If security requirements are missing → Claude updates the plan
- You approve the final plan → implementation begins
Configuration
Override via environment variables:
export CAS_CLOVER_PLUGIN_SERVER_URL=https://app.cloversec.io
export CAS_CLOVER_PLUGIN_AUTH_URL=https://clover.frontegg.com
export CAS_CLOVER_PLUGIN_CLIENT_ID=your-client-id
export CAS_CLOVER_PLUGIN_CLIENT_SECRET=your-client-secret
Skills
-
/security-requirements <mode> — Claude silently threat-models the work in flight, prints a short ## Threats considered block, and folds mitigations into the plan. No questions asked. Modes:
threat-questions — STRIDE pass over the current plan/request when it touches auth, user input, sensitive data, network, or third-party APIs.
Also fires proactively when a plan touches a sensitive area.
Logs
Debug logs at /tmp/clover-hook.log
Privacy
This project is subject to the privacy practices described in our Privacy Policy:
🔒 Privacy Policy
