[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-82802":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":29,"readmeContent":30,"aiSummary":31,"trendingCount":15,"starSnapshotCount":15,"syncStatus":32,"lastSyncTime":33,"discoverSource":34},82802,"agentic-security","Clear-Capabilities\u002Fagentic-security","Clear-Capabilities","Build faster with an Agentic Workforce. Safe, secure, and compliant is now the default.","https:\u002F\u002Fwww.clearcapabilities.com\u002F",null,"JavaScript",66,12,1,0,3,6,11,9,3.34,"Other",false,"main",true,[26,27,28],"agentic","claude","plugin","2026-06-12 02:04:28","# agentic-security\n\n\u003Cimg src=\"docs\u002Fbrand\u002Fpatch-bug-scene.svg\" align=\"right\" width=\"220\" alt=\"Patch the mascot side-eyeing a bug on a monitor — agentic-security's signature scene\">\n\n\u003Ch3>\nBuild faster with an\u003Cbr>\nAgentic Workforce.\u003Cbr>\nSafe, secure, and compliant\u003Cbr>\nis now the default.\n\u003C\u002Fh3>\n\n> Built by **[Clear Capabilities](https:\u002F\u002Fwww.clearcapabilities.com\u002F)**.\n\n---\n\n## What you get\n\n\u003Cimg src=\"docs\u002Fbrand\u002Fpatch-alert.svg\" align=\"right\" width=\"120\" alt=\"Patch · ALERT — finding detected\">\n\n```\n─────────────────────────────────────────────────────────────────\n  ❌  Not safe to deploy  ·  api-billing\n─────────────────────────────────────────────────────────────────\n   3 critical · 8 high · 22 medium · 41 advisory\n   🔥 2 actively exploited in the wild (CISA KEV)\n   ✓  1 CONFIRMED (PoC built by \u002Ftriage --validate)\n\n   [critical] SQL Injection                api\u002Fusers.ts:42\n     Could leak PII for ~5,000 users.\n     Estimated cost if exploited: $125k–$1.3M\n     Fix:  use parameterized query — db.query('SELECT * FROM users WHERE id = ?', [id])\n\n   [critical] Hardcoded Stripe live key    src\u002Flib\u002Fbilling.ts:7\n     Could enable fraudulent charges against your account.\n     Estimated cost if exploited: $50k–$500k (chargebacks + Stripe fees)\n     Fix:  rotate via \u002Fagentic-security:fix --rotate-secret --auto, then move to env var\n\n   [critical] Missing webhook signature    api\u002Fstripe-webhook.ts:12\n     Anyone can POST a fake \"payment.succeeded\" and unlock paid features.\n     Estimated cost if exploited: cost of a free subscription × every attacker\n     Fix:  stripe.webhooks.constructEvent(rawBody, signature, endpointSecret)\n\n   How many do you want to fix?\n     1. Critical only           (3 fixes)\n     2. Critical + High         (11 fixes)\n     3. Critical + High + Medium (33 fixes)\n─────────────────────────────────────────────────────────────────\n```\n\nNo CVE jargon. The stakes, the cost, the fix.\n\n---\n\n## Install\n\nIn **Claude Code** (recommended) — two steps:\n\n```\n\u002Fplugin marketplace add https:\u002F\u002Fgithub.com\u002FClear-Capabilities\u002Fagentic-security\n\u002Fplugin install agentic-security@clearcapabilities\n```\n\nThe first command registers the marketplace as a source; the second actually installs the plugin. Then restart Claude Code (or `\u002Freload-plugins`). To update later: `\u002Fplugin marketplace update clearcapabilities` followed by `\u002Fplugin install agentic-security@clearcapabilities`.\n\nIn your **terminal** (no Claude Code required):\n\n```bash\nnpx @clear-capabilities\u002Fagentic-security-scanner secure .\n```\n\nAlso works with Codex, Cursor, and Gemini CLI — [harness setup](docs\u002FHARNESS_COMPATIBILITY.md).\n\n---\n\n## Ten commands\n\n![agentic-security demo](docs\u002Fbrand\u002Fdemo.gif)\n\n**`\u002Fagentic-security:secure`** — Router. Picks the single best next action from project state. Also: `--tour`, `--help`, `--daily`.\n\n**`\u002Fagentic-security:find-and-fix-everything`** — One-shot scan + fix every severity in one command. The vibecoder \"just make it safe\" path.\n\n**`\u002Fagentic-security:scan`** — Run the scanner. Modes: full \u002F diff \u002F watch \u002F baseline \u002F archaeology \u002F scanner-meta.\n\n**`\u002Fagentic-security:triage`** — Decide on findings. Modes: id \u002F show \u002F explain \u002F validate \u002F tournament \u002F red-team \u002F exploit \u002F query.\n\n**`\u002Fagentic-security:fix`** — Remediation. Modes: id \u002F all \u002F pr \u002F sca \u002F compliance \u002F rotate-secret \u002F vault \u002F harden \u002F trim \u002F generate.\n\n**`\u002Fagentic-security:posture`** — Posture + reporting. Modes: status \u002F report-card \u002F harness \u002F trend \u002F threat \u002F playbook \u002F mgmt.\n\n**`\u002Fagentic-security:compliance`** — Compliance + auditor flows. Modes: report \u002F walkthrough \u002F attestation \u002F audit \u002F pr.\n\n**`\u002Fagentic-security:supply`** — Supply chain. Modes: check \u002F sbom \u002F cve-alerts \u002F license.\n\n**`\u002Fagentic-security:setup`** — Workflow installers + guards. Modes: hooks \u002F ci \u002F bodyguard \u002F destructive-guard.\n\n**`\u002Fagentic-security:labs`** — Experimental + AI-driven. Modes: claude-audit \u002F model-rescan \u002F synthesize-rule \u002F cross-repo \u002F risk-dollars \u002F time-to-fix \u002F llm.\n\nEvery legacy capability is reachable as a mode of one of these dispatchers — run `\u002Fsecure --help` for the full surface.\n\n---\n\n## Compliance frameworks\n\n`\u002Fcompliance --report \u003Cframework>` generates an auditor-ready attestation that scans your project against:\n\n| Framework | `\u003Cframework>` | Coverage map |\n|---|---|---|\n| NIST AI 600-1 (2024) — Generative AI Profile | `nist` | [coverage](docs\u002Fcompliance\u002Fnist-ai-600-1-coverage.md) |\n| OWASP ASVS 4.0.3 — Application Security Verification Standard | `asvs` | [coverage](docs\u002Fcompliance\u002Fowasp-asvs-coverage.md) |\n| OWASP LLM Top 10 (2025) | `llm` | [coverage](docs\u002Fcompliance\u002Fowasp-llm-top10-coverage.md) |\n| EU AI Act | `eu-ai-act` | [`scripts\u002Feu-ai-act\u002F`](scripts\u002Feu-ai-act\u002F) |\n\n`\u002Fcompliance --walkthrough \u003Cframework>` adds step-by-step auditor narratives with per-control evidence mapping for `nist-csf-2`, `nist-ai-600-1`, `owasp-asvs-5`, `owasp-llm-top-10`, `eu-ai-act`, `gdpr`, `hipaa-security-rule`, and `ccpa` — or bring your own controls at `.agentic-security\u002Fcompliance\u002F\u003Cid>\u002Fcontrols.json`.\n\n---\n\n## What makes it different\n\n- **Plain-English findings with dollar-cost estimates.** Best\u002Flikely\u002Fworst-case exposure, grounded in IBM Cost of a Data Breach 2024 and 25+ public settlement records. Not CVE numbers.\n- **Intercepts insecure AI-generated code before it hits disk.** The `\u002Fsetup --bodyguard` hook blocks SQLi via concat, hardcoded API keys, `eval` on user input, and more — in real time, as your AI writes.\n- **12-pillar scan in one command.** SAST, SCA, secrets, IaC, LLM safety, MCP agent-tool audit, auth\u002FauthZ, pipeline integrity, containers, deploy config, supply chain, and trend tracking.\n- **Function-level reachability across every dependency.** OSV ecosystem_specific parsing, GHSA fix-commit analysis, vendored code fingerprinting, Java IR call-graph matching, and LLM-assisted function extraction — not just a hardcoded hints list.\n- **SCA reachability tiers.** Every dependency classified as `function-reachable`, `import-reachable`, `build-only`, `manifest-only`, or `transitive-only` — so you fix what matters.\n- **CISA KEV + EPSS prioritization.** Separates \"this could theoretically be bad\" from \"people are running scripts that exploit this today.\"\n- **SARIF codeFlows for taint traces.** Multi-step source-to-sink paths rendered natively in GitHub Code Scanning, DefectDojo, and VS Code SARIF Viewer.\n- **One-command fix with preview.** Every patch previewed before write, backed up, revertible. The fixer reads your stack so patches match your code style.\n- **Auto-baseline for legacy codebases.** `--set-baseline` snapshots existing findings; `--since-baseline` shows only what's new. Day-one usable on any project.\n\nDeep engine details — [architecture](docs\u002FARCHITECTURE.md).\n\n---\n\n## Language coverage\n\nEight first-class languages, with cross-language detectors for the OWASP-relevant injection and crypto-misuse classes. Coverage is measured by a blind, regression-gated CVE-replay corpus (185 entries, every release held at **F1 = 1.000** with zero false positives or negatives; see [`bench\u002Fcve-replay`](bench\u002Fcve-replay\u002F)).\n\n| Language | Vuln-class coverage |\n|----------|---------------------|\n| JavaScript \u002F TypeScript | full (flow engine + structural) |\n| Python | full (flow engine + structural) |\n| Java | full |\n| Kotlin | full |\n| Go | full |\n| Ruby | full |\n| PHP | full |\n| C# | full |\n\nDetected across these languages: SQL injection, command injection, path traversal, LDAP injection, XPath injection, reflected XSS, SSRF, XXE, code injection (eval \u002F SpEL \u002F Groovy \u002F Roslyn \u002F template), insecure deserialization, hardcoded secrets, weak password hashing, weak ciphers (DES\u002FRC4\u002FBlowfish\u002FECB), static\u002Fzero IV, insecure randomness, CSRF, open redirect, HTTP response splitting, and ReDoS — plus the JS\u002FPython-specific classes (prototype pollution, mass assignment) and the LLM\u002Fagent-tool surface.\n\nThe detectors are precision-first: parameterized queries, escaped output, allow-list guards, CSPRNG-derived IVs, framework CSRF middleware, and token-auth schemes are recognized and **not** flagged.\n\n---\n\n## What this is NOT\n\n- **Not a SaaS dashboard.** It's a CLI + Claude Code plugin.\n- **Not a replacement for a pentester.** Static analysis catches patterns; humans catch business-logic flaws. The `security-logic-reviewer` subagent and `\u002Ftriage --validate` close part of the gap, not all of it.\n- **Not magic.** It can miss novel vulnerabilities, especially anything that requires understanding intent.\n- **Not free for resale.** PolyForm Internal Use license. Use it to make your own code safe and secure. Don't repackage it as a competing scanner.\n\n---\n\n[![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-PolyForm--Internal--Use-blue)](.\u002FLICENSE)\n[![Bundle](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fbundle-2.30MB-orange)]()\n[![Version](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fversion-0.119.1-blue)]()\n[![agentic-security](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fagentic--security-passing-brightgreen)]()\n\n## License\n\nFull legal terms in [LICENSE](.\u002FLICENSE).\n\n---\n\n> Built with care by **[Clear Capabilities](https:\u002F\u002Fwww.clearcapabilities.com\u002F)**. Found a bug, have a feature idea, want to talk? Please create a GitHub issue.\n","agentic-security 是一个用于构建安全、合规且快速的代理工作流的工具。其核心功能包括自动检测和修复代码中的安全漏洞，如SQL注入、硬编码密钥等，并提供直观的风险评估与修复建议。技术上，它支持Claude Code插件安装以及直接通过终端命令行使用，适用于JavaScript项目。特别适合需要提高开发效率同时保证代码安全性与合规性的开发团队或个人开发者。",2,"2026-06-11 04:09:19","CREATED_QUERY"]