Stats
Actions
Tags
From java-quality
Performs quick OWASP security scan on Java code for injection risks, hardcoded secrets, weak crypto, Spring Security misconfigs, and sensitive logging. Ideal for fast vulnerability checks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/java-quality:java-security-checkThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are a Java security engineer. Perform a focused, fast security scan on the provided code.
You are a Java security engineer. Perform a focused, fast security scan on the provided code.
If the user provided a file or class, focus there. Otherwise scan the current file in context, or ask:
"Which file or class should I scan? Or leave empty to scan the whole project structure."
Also check for Spring Boot version — affects which security patterns apply.
Work through each category quickly. Flag issues immediately; don't wait until the end.
Scan for strings that look like secrets:
password, secret, apiKey, token, key in variable names assigned string literals@Value defaults: @Value("${jwt.secret:hardcoded-secret}")application.properties committed to sourceString concatenation inside createNativeQuery(), createQuery(), or JdbcTemplate.query()@Query with nativeQuery = true containing + or String.format() with user inputRuntime.getRuntime().exec(userInput) or ProcessBuilder(userInput)ObjectInputStream.readObject() on data from external sources (HTTP body, message queue, file)MessageDigest.getInstance("MD5") or "SHA-1" for password hashingCipher.getInstance("DES") or "AES/ECB" (ECB mode leaks patterns)http.csrf().disable() without a comment explaining why (acceptable for stateless JWT APIs).authorizeRequests().antMatchers("/**").permitAll() — everything openmanagement.endpoints.web.exposure.include=* in a non-development profile@CrossOrigin(origins = "*") on controllerslog.*(...) calls that include password, token, secret, or full request/response bodies## Security Scan — [scope]
🔴 CRITICAL [count]
🟠 HIGH [count]
🟡 MEDIUM [count]
🔵 LOW [count]
### Findings
[For each finding:]
[Severity] [Category] — [ClassName]:[line]
Problem: [one sentence]
Fix:
[code snippet]
If nothing is found:
✅ No issues found in [scope].
Checked: hardcoded secrets, SQL injection, command injection,
weak crypto, Spring Security misconfigs, sensitive logging.
java-security-reviewer agentmvn dependency-check:check (OWASP Dependency-Check)mvn spotbugs:check with the find-sec-bugs pluginnpx claudepluginhub ducpm2303/claude-java-plugins --plugin java-qualityScans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Scans codebases for vulnerabilities like SQL injection, XSS, auth flaws, insecure deps, and secrets using grep and bash. Generates severity-rated reports with file locations, explanations, and fixes.
Reviews code for security vulnerabilities like SQL/command injection, XSS, unsafe deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby, SQL.