Security Testing

Security scans MUST be run as part of post-generation verification (agentic-cookbook://guidelines/testing/post-generation-verification). These are CLI tools Claude Code can invoke directly.

Static Analysis (SAST):

Semgrep — all languages: semgrep scan --config=auto .
Bandit — Python: bandit -r src/
CodeQL — deep analysis (Swift, Kotlin, C#, Python, TS, Go)

Dependency Scanning:

Python: pip-audit
Node.js: npm audit
.NET: dotnet list package --vulnerable
All: Snyk CLI (snyk test)

Dynamic Analysis (DAST):

OWASP ZAP — scan running web services: zap-cli quick-scan http://localhost:8888

See agentic-cookbook://guidelines/security/* (Security Guidelines) for the full security reference.

version: 1.0.0
platforms: csharp, kotlin, python, swift, typescript, web
tags: security-testing, testing
author: Mike Fullerton
modified: 2026-03-27
references: codeql.github.com github.com/PyCQA/bandit semgrep.dev snyk.io zaproxy.org

Change History

Version	Date	Author	Summary
1.0.0	2026-03-27	Mike Fullerton	Initial creation