/ 디렉터리 / 플레이그라운드 / claude-code-owasp
← 모든 서버 ↗ GitHub
● 커뮤니티 agamm ⚡ 바로 사용

claude-code-owasp

제작: agamm · agamm/claude-code-owasp

OWASP best practices baked into Claude Code — Top 10:2025, ASVS 5.0, Agentic AI security, plus 20+ language-specific quirks.

Claude Code OWASP Skill teaches Claude to think like a security reviewer. It loads OWASP Top 10:2025 guidance, ASVS 5.0 verification standards, the new Agentic AI security guidance, and 20+ language-specific sections (JS/TS, Python, Rust, Go, Java, Ruby, etc.). Good for pre-commit review, PR review, and threat-modeling sessions.

▶ 데모 보기 📦 설치 💡 사용 사례

왜 쓰나요

핵심 기능

라이브 데모

실제 사용 모습

claude-code-owasp-skill.replay ▶ 준비됨
0/0

설치

클라이언트 선택

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "claude-code-owasp-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/agamm/claude-code-owasp",
        "~/.claude/skills/claude-code-owasp"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop → Settings → Developer → Edit Config 열기. 저장 후 앱 재시작.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "claude-code-owasp-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/agamm/claude-code-owasp",
        "~/.claude/skills/claude-code-owasp"
      ],
      "_inferred": true
    }
  }
}

Cursor는 Claude Desktop과 동일한 mcpServers 스키마 사용. 프로젝트 설정이 전역보다 우선.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "claude-code-owasp-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/agamm/claude-code-owasp",
        "~/.claude/skills/claude-code-owasp"
      ],
      "_inferred": true
    }
  }
}

Cline 사이드바의 MCP Servers 아이콘 클릭 후 "Edit Configuration" 선택.

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "claude-code-owasp-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/agamm/claude-code-owasp",
        "~/.claude/skills/claude-code-owasp"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop과 같은 형식. Windsurf 재시작 후 적용.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "claude-code-owasp-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/agamm/claude-code-owasp",
        "~/.claude/skills/claude-code-owasp"
      ]
    }
  ]
}

Continue는 맵이 아닌 서버 오브젝트 배열 사용.

~/.config/zed/settings.json
{
  "context_servers": {
    "claude-code-owasp-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/agamm/claude-code-owasp",
          "~/.claude/skills/claude-code-owasp"
        ]
      }
    }
  }
}

context_servers에 추가. 저장 시 Zed가 핫 리로드.

claude mcp add claude-code-owasp-skill -- git clone https://github.com/agamm/claude-code-owasp ~/.claude/skills/claude-code-owasp

한 줄 명령. claude mcp list로 확인, claude mcp remove로 제거.

사용 사례

실전 활용법: claude-code-owasp

How to security-review a PR with OWASP Top 10 in mind

👤 Developers doing self-review before requesting human review ⏱ ~20 min intermediate

언제 쓸까: Before you click 'Ready for review' on a PR that touches auth, data, or input handling.

사전 조건
  • Skill installed — git clone https://github.com/agamm/claude-code-owasp ~/.claude/skills/claude-code-owasp
흐름
  1. Point at the diff
    Review the current PR against OWASP Top 10:2025. Focus on auth and input handling.✓ 복사됨
    → Findings mapped to Top 10 categories with line references
  2. Prioritize
    Group findings into 'must-fix before merge' vs 'follow-up issue'. Cite the specific ASVS requirement.✓ 복사됨
    → Ranked list with ASVS IDs
  3. Generate fixes
    For each must-fix, propose the minimal diff.✓ 복사됨
    → Patch diffs keyed to findings

결과: A PR that ships with known security issues resolved, with traceable requirements.

함정
  • Over-alerting on benign patterns — Ask Claude to show the exploit path concretely; if it can't, downgrade the severity

Run a lightweight threat model on a new feature

👤 Engineers designing a feature involving user data ⏱ ~40 min advanced

언제 쓸까: Design stage, before writing the code, when the blast radius is still negotiable.

흐름
  1. Describe the feature
    Feature: share-by-link for customer reports. Users generate tokenized URLs valid 7 days. Threat-model with OWASP agentic AI guidance included.✓ 복사됨
    → STRIDE-style list of threats
  2. Pick controls
    For each threat, what's the cheapest control that mitigates 80%?✓ 복사됨
    → Per-threat control + rejection rationale for expensive ones

결과: A threat model document you can attach to the design doc.

함정
  • Over-engineered control list — Explicitly limit to top-5 threats by likelihood × impact

Harden an AI agent integration against prompt injection

👤 Engineers shipping Claude/LLM-powered features ⏱ ~30 min advanced

언제 쓸까: You're about to let an LLM touch user data or call tools.

흐름
  1. Describe the agent surface
    Our agent reads support emails and can call 3 tools: refund(), tag_account(), escalate(). Review for agentic AI risks.✓ 복사됨
    → Prompt-injection vectors, tool-misuse risks, data exfil paths
  2. Design guardrails
    Propose a minimal guardrail set: which tools need human confirm, which inputs need sanitization, what logging is required.✓ 복사됨
    → Concrete guardrail spec

결과: A hardened agent design with documented guardrails.

함정
  • Relying on prompt-based defenses alone — Combine with deterministic controls — human-in-loop for destructive tools, allowlists for URLs

Audit for language-specific security quirks

👤 Reviewers checking a codebase in a language they don't know deeply ⏱ ~15 min intermediate

언제 쓸까: You're reviewing Python code as a TS native, or vice versa.

흐름
  1. Scope to language
    Review this Python module for Python-specific OWASP quirks (pickle, yaml.load, shell=True, etc.).✓ 복사됨
    → Language-specific findings beyond generic Top 10

결과: Catches that a language-agnostic review would miss.

조합

다른 MCP와 조합해 10배 효율

claude-code-owasp-skill + claude-code-skill-factory-skill

Skill Factory wires OWASP checks as PreToolUse hooks for automatic gating

Use skill-factory /build hook to run OWASP review on every Write tool call in our repo.✓ 복사됨
claude-code-owasp-skill + seo-audit-skill

Overlap on security headers

Run seo-audit security category, then deeper OWASP review on the hits.✓ 복사됨
claude-code-owasp-skill + robotics-agent-skill

Secure ROS networking (rosbridge, Zenoh)

Robotics skill produced a rosbridge websocket — run OWASP review on it.✓ 복사됨

도구

이 MCP가 노출하는 것

도구입력언제 호출비용
Top 10:2025 review diff or files PR self-review Claude tokens
ASVS requirement check feature spec Compliance work Claude tokens
Agentic AI threat model agent design Shipping LLM features Claude tokens
Language-specific audit language, files Cross-language review Claude tokens
Threat model (STRIDE) feature description Design phase Claude tokens

비용 및 제한

운영 비용

API 쿼터
None
호출당 토큰
5-20k per review depending on code size
금액
Free
Scope reviews to changed files, not the whole repo.

보안

권한, 시크릿, 파급범위

자격 증명 저장: No credentials
데이터 외부 송신: Code is sent to Claude for inference

문제 해결

자주 발생하는 오류와 해결

Claude ignores OWASP context and gives generic advice

Explicitly name the guidance: 'Apply OWASP Top 10:2025 category A03:2025 Injection here.'

Too many false positives

Require an exploit walkthrough before accepting a finding

대안

claude-code-owasp 다른 것과 비교

대안언제 쓰나단점/장점
Semgrep / SnykYou want deterministic static analysis in CIDifferent strengths; combine both

더 보기

리소스

📖 GitHub에서 공식 README 읽기

🐙 열린 이슈 보기

🔍 400+ MCP 서버 및 Skills 전체 보기