Problem
When Claude Code generates code, it may inadvertently introduce security vulnerabilities (SQL injection, XSS, command injection, insecure deserialization). The current PostToolUse hook infrastructure doesn't include code-level vulnerability scanning.
Proposal
Add a CodeScanner module that scans generated code for OWASP Top 10 vulnerabilities:
- SQL injection patterns in generated database queries
- XSS in generated HTML/template code
- Command injection in subprocess/exec calls
- Path traversal in file operations
- Insecure deserialization
- Hardcoded secrets/credentials
Integrate as a Claude Code PostToolUse hook that scans Write and Edit tool outputs.
Prior Art
- Semgrep (heavy, requires rules)
- Bandit (Python only)
- Our approach: lightweight pattern matching across Python, JS/TS, Go — zero deps
Problem
When Claude Code generates code, it may inadvertently introduce security vulnerabilities (SQL injection, XSS, command injection, insecure deserialization). The current PostToolUse hook infrastructure doesn't include code-level vulnerability scanning.
Proposal
Add a
CodeScannermodule that scans generated code for OWASP Top 10 vulnerabilities:Integrate as a Claude Code PostToolUse hook that scans
WriteandEdittool outputs.Prior Art