Shield: Open-Source Security Plugin for Claude Code with Unified Scanning
Shield Security Plugin for Claude Code
Shield is an open-source security plugin for Claude Code that orchestrates multiple security scanning tools through a single command interface. It provides automated security analysis with consolidated reporting and remediation suggestions.
Core Functionality
The plugin is accessed via the /shield:shield command inside Claude Code. It automatically detects your technology stack and runs whichever security tools you have installed, including:
- Semgrep SAST (Static Application Security Testing)
- gitleaks for secrets scanning
- npm/pip/composer audit for dependency vulnerabilities
- Shannon pentester
All findings are consolidated into a unified report with a 0-100 risk score and proposed code fixes with diffs.
Real-World Test Results
The developer tested Shield on their own Next.js monorepo and found:
- 36 dependency vulnerabilities (1 CRITICAL, 26 HIGH)
- 103 secrets in git history (AWS keys, Stripe tokens, OpenAI API keys)
- 77 SAST findings (XSS, hardcoded credentials, missing SRI)
- A .env file with production credentials tracked in git that wasn't previously known
After fixing 3 direct dependencies and removing the exposed .env file, the project went from 36 vulnerabilities to 0.
Key Features
- 6 operation modes: full, quick, fix, verify, score, outdated
- 34 custom Semgrep rules for JS/TS, Python, and PHP
- Dependency freshness check with SECURITY/MAJOR/MINOR/PATCH classification
- OWASP Top 10 / CWE / SOC 2 / PCI-DSS / HIPAA compliance mapping
- SARIF output for GitHub Security tab integration
- Security score badge for README files
- Graceful degradation — runs whatever tools you have installed
- 189 unit tests, MIT licensed
Installation
To install Shield:
git clone https://github.com/alissonlinneker/shield-claude-skill.git
cd shield-claude-skill && ./install.sh
# Inside Claude Code:
/plugin marketplace add /path/to/shield-claude-skill
/plugin install shield@shield-securityThe project is available on GitHub at https://github.com/alissonlinneker/shield-claude-skill. Feedback and contributions are welcome, with the roadmap organized as GitHub issues.
📖 Read the full source: r/ClaudeAI
👀 See Also
PocketBot: A Local AI Autopilot for iOS Using App Intents and On-Device Inference
PocketBot is an iOS app that runs a quantized 3B Llama model locally on iPhone's Neural Engine via Metal, using Apple's AppIntents and CoreLocation frameworks to create event-driven automations without cloud data transmission.
MCP-India-Stack: Offline-first server for Indian financial data in AI agents
MCP-India-Stack is an offline-first MCP server that provides Indian financial and government API functionality without authentication or external API calls. It bundles datasets locally for tax calculations, validation tools, and lookups.
n8n-mcp-lite: MCP server reduces token usage by 80% for Claude with n8n workflows
A new open-source Model Context Protocol server called n8n-mcp-lite helps Claude reason about n8n automation workflows while reducing token usage by approximately 80%. The tool addresses the token-heavy nature of visual node automations by providing targeted workflow scanning and surgical updates.
