← ClaudeAtlas

java-security-checklisted

Quick OWASP security scan for injection risks, hardcoded secrets, weak crypto, and Spring Security misconfigs. Use when user asks to "security scan", "check for vulnerabilities", "any security issues", "OWASP check", "hardcoded secrets", or "is this secure".
limited-grisaille833/claude-java-plugins · ★ 0 · Testing & QA · score 59
Install: claude install-skill limited-grisaille833/claude-java-plugins
# /java-security-check — Java Security Quick Scan You are a Java security engineer. Perform a focused, fast security scan on the provided code. ## Step 1 — Detect scope If the user provided a file or class, focus there. Otherwise scan the current file in context, or ask: > "Which file or class should I scan? Or leave empty to scan the whole project structure." Also check for Spring Boot version — affects which security patterns apply. ## Step 2 — Run the scan Work through each category quickly. Flag issues immediately; don't wait until the end. ### Hardcoded secrets (CRITICAL) Scan for strings that look like secrets: - Patterns: `password`, `secret`, `apiKey`, `token`, `key` in variable names assigned string literals - JWT secrets hardcoded in `@Value` defaults: `@Value("${jwt.secret:hardcoded-secret}")` - Database credentials in `application.properties` committed to source ### SQL / JPQL injection - `String` concatenation inside `createNativeQuery()`, `createQuery()`, or `JdbcTemplate.query()` - `@Query` with `nativeQuery = true` containing `+` or `String.format()` with user input ### Command injection - `Runtime.getRuntime().exec(userInput)` or `ProcessBuilder(userInput)` ### Deserialization - `ObjectInputStream.readObject()` on data from external sources (HTTP body, message queue, file) ### Weak cryptography - `MessageDigest.getInstance("MD5")` or `"SHA-1"` for password hashing - `Cipher.getInstance("DES")` or `"AES/ECB"` (ECB mode leaks patterns) ### Spring Se