Shieldbot: Open-Source Security Scanner Plugin for Claude Code
What Shieldbot Does
Shieldbot is an open-source security scanner that runs directly inside Claude Code as a plugin. It eliminates the need to switch between your editor and separate security tools by integrating scanning functionality into the development environment.
Installation and Usage
Install with these commands:
/plugin marketplace add BalaSriharsha/shieldbot
/plugin install shieldbot
/shieldbot .You can also interact with it naturally using commands like "scan this repo for security issues" or "check my dependencies for CVEs" and the agent will handle the request.
Scanner Integration
The tool runs six scanners in parallel:
- Semgrep (5,000+ community rules covering OWASP Top 10, CWE Top 25, injection, XSS, SSRF)
- Bandit (Python security)
- Ruff (Python quality/security)
- detect-secrets (finds API keys, tokens, passwords in source code)
- pip-audit (Python dependency CVEs)
- npm audit (Node.js CVEs)
Results Processing
Findings get deduplicated across scanners, so the same bug reported by multiple tools (like Semgrep and Bandit) appears only once. Claude then synthesizes everything into a prioritized report that includes:
- Risk score
- Executive summary
- Specific code fixes
- Identification of likely false positives
Real-World Testing
The developer first ran Shieldbot on itself, where it caught a Jinja2 XSS vulnerability in the HTML reporter that had been missed. The scan resulted in one real finding and zero false positives on secrets detection.
CI/CD Integration
Shieldbot also works as a GitHub Action for CI pipelines:
- uses: BalaSriharsha/shieldbot@mainFindings appear in GitHub's Security tab via SARIF output.
Privacy and Architecture
Everything runs locally with no code leaving your machine. The MCP server pipes scanner results to Claude Code over stdio.
Project Details
The project is MIT licensed and available on GitHub at https://github.com/BalaSriharsha/shieldbot. The developer is seeking feedback, particularly on what additional scanners or report features users would want added.
📖 Read the full source: r/ClaudeAI
👀 See Also
Repo Tokens: GitHub Action Adds Token Count Badge for LLM Context Window Awareness
Repo Tokens is a GitHub Action that counts your codebase's size in tokens using tiktoken and displays a badge in your README showing what percentage of an LLM's context window it fills. The badge uses green for under 30%, yellow for 50-70%, and red for 70%+.
SpruceChat Runs 0.5B LLM On-Device on Miyoo Handhelds via llama.cpp
SpruceChat runs Qwen2.5-0.5B entirely on-device on handheld gaming devices using llama.cpp, with no cloud or WiFi required. On a Miyoo A30 (Cortex-A7 quad-core), it loads in ~60 seconds and generates at ~1-2 tokens/second.
nex-life-logger: Local Activity Tracker for OpenClaw Agents
nex-life-logger is a background activity tracker that runs locally on your machine, giving OpenClaw agents memory of your computer activities. It tracks browser history, active windows, and YouTube transcripts, storing everything in a local SQLite database with no cloud data transmission.
Developer shares CLI tools that work well with Claude Code
A developer switched from MCPs to CLIs for working with Claude Code, finding that Claude handles CLI commands effectively due to training on shell scripts and documentation. They shared specific CLIs they use daily, including gh, ripgrep, stripe, supabase, vercel, sentry-cli, and neon.