How to Security Audit Your Code with Claude Code (Secrets, Dependencies, OWASP)
TL;DR: Scan for leaked API keys, dependency vulnerabilities, OWASP patterns, and missing security headers in Claude Code using Ultraship. Free automated security auditing for developers.
TL;DR
- Most developers don't run security audits before deploying. Leaked secrets, vulnerable dependencies, and missing security headers are the most common production incidents.
- Ultraship scans for secrets, audits dependencies, detects OWASP patterns, and checks HTTP security headers — all with one command.
- Free Claude Code plugin with SSRF protection, zero telemetry, and 1 dependency.
Why Most Developers Skip Security Audits
Security auditing feels like extra work. You're focused on shipping features, fixing bugs, and hitting deadlines. Running npm audit, scanning for leaked keys, and checking HTTP headers doesn't feel productive — until something breaks. If you are building with Claude Code, plugging in a security audit step before every deploy is one of the highest-value habits you can add to your workflow.
What happens when you skip security?
- Leaked API keys — A Stripe secret key in a public repo leads to unauthorized charges
- Vulnerable dependencies — A critical CVE in a transitive dependency you didn't know existed
- Missing security headers — No CSP, no HSTS, no X-Frame-Options. Your app is vulnerable to XSS, clickjacking, and downgrade attacks
- OWASP violations — Dangerous code patterns, innerHTML, SQL concatenation hiding in your codebase
These aren't hypothetical. They're the most common production security incidents for startups and indie projects. See the best Claude Code plugins comparison for how Ultraship fits into a broader security-plus-workflow toolchain.
How to Run a Security Audit in Claude Code
What does Ultraship's security audit check?
| Check | What it finds |
|---|---|
| Secret scanning | AWS keys, Stripe keys, OpenAI keys, GitHub tokens, private keys, JWT secrets, database URLs |
| Dependency audit | npm audit / pnpm audit / yarn audit — critical, high, moderate vulnerabilities with fix recommendations |
| OWASP patterns | Dangerous code execution, innerHTML, SQL string concatenation, mixed HTTP/HTTPS content |
| HTTP security headers | Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy |
| Dependency health | Unused production dependencies, significantly outdated packages, unpinned versions |
How to run the full security audit
claude plugin add ultraship
/security
That's it. Ultraship scans your entire project and produces a report with findings, severity levels, and fix recommendations.
How to run individual security tools
# Scan for leaked secrets
node tools/secret-scanner.mjs ./your-project
# Check production health + security headers
node tools/health-check.mjs https://your-app.com
# Audit dependencies
node tools/dependency-doctor.mjs ./your-project
# Validate environment variables
node tools/env-validator.mjs ./your-project
Secret Scanning: What Gets Caught
What types of secrets does Ultraship detect?
Ultraship's secret scanner detects:
- AWS access keys — AKIA prefix followed by 16 alphanumeric characters
- Stripe keys — Live and test secret keys, publishable keys
- OpenAI keys — API keys with standard prefix patterns
- GitHub tokens — Personal access tokens, OAuth tokens, fine-grained tokens
- Slack tokens — Bot tokens and user tokens
- Private keys — RSA, DSA, EC, and other PEM-encoded private keys
- JWT secrets — Hardcoded JWT signing keys
- Database URLs — PostgreSQL, MySQL, MongoDB connection strings with credentials
How does Ultraship handle found secrets?
Found secret values are redacted in the output. Ultraship shows the file, line number, and type of secret — but never displays the actual value. This prevents accidental exposure in logs or screenshots.
Does Ultraship scan .env files?
Ultraship scans all files in your project but skips .env.example files (which are meant to contain placeholders). It flags .env files that contain real values and aren't in .gitignore.
Pre-Commit Secret Scanning
How to prevent secrets from ever reaching Git
Ultraship includes a pre-commit hook that scans staged files for secrets before every commit. This catches leaked keys before they enter your Git history — even if you later remove the file, the secret persists in Git history unless you rewrite it.
Dependency Security
How to audit npm dependencies for vulnerabilities
/security
Ultraship runs your package manager's built-in audit (npm audit, pnpm audit, yarn audit) and presents findings with severity levels and recommended actions.
What about transitive dependencies?
Yes. The audit covers the entire dependency tree — not just your direct dependencies. A vulnerability in a sub-dependency of a sub-dependency will be flagged.
How to find unused dependencies
Ultraship's dependency doctor scans your import statements and compares them against package.json:
node tools/dependency-doctor.mjs ./your-project
It finds:
- Unused production dependencies — installed but never imported
- Unused dev dependencies — listed but not referenced in scripts or configs
- Significantly outdated packages — major version behind current
- Pinned versions — recommends
^for non-breaking updates
HTTP Security Headers
What security headers should every site have?
| Header | What it prevents |
|---|---|
| Content-Security-Policy (CSP) | XSS attacks, unauthorized script injection |
| Strict-Transport-Security (HSTS) | HTTP downgrade attacks, SSL stripping |
| X-Frame-Options | Clickjacking (embedding your site in iframes) |
| X-Content-Type-Options | MIME type sniffing attacks |
| Referrer-Policy | Leaking URLs to third parties |
| Permissions-Policy | Unauthorized access to camera, microphone, geolocation |
How to check your security headers
/health https://your-app.com
Ultraship's health check hits your production URL and reports which security headers are present, missing, or misconfigured.
How to fix missing security headers
Ultraship generates security header middleware for your framework:
- Hono — middleware function with all 6 headers
- Express — helmet-style middleware configuration
- Next.js — next.config.js headers configuration
Ultraship's Own Security
Is Ultraship itself secure?
| Protection | Implementation |
|---|---|
| No shell injection | All subprocess calls use execFileSync with array args — no shell interpolation |
| SSRF protection | All HTTP tools block private IPs (127.0.0.1, 10.x, 172.16.x, 192.168.x), cloud metadata endpoints (169.254.169.254), and non-HTTP schemes |
| Zero telemetry | No data collection. No analytics. No phone-home. |
| 1 dependency | htmlparser2 only (30KB). No native bindings. Minimal attack surface. |
| Secret redaction | Found secrets are truncated in output |
| File safety | 10MB read cap. 5MB HTTP response cap. Restrictive write permissions (0o600). |
| Supply chain | Lighthouse pinned to major version. No postinstall scripts. |
Frequently Asked Questions
What is the best Claude Code plugin for security?
Ultraship is the best Claude Code plugin for security because it combines secret scanning, dependency auditing, OWASP pattern detection, HTTP header analysis, and pre-commit hooks in a single tool. It also has built-in SSRF protection and zero telemetry.
How do I scan for leaked API keys in my code?
Install Ultraship (claude plugin add ultraship) and run /security. It scans for AWS keys, Stripe keys, OpenAI keys, GitHub tokens, private keys, JWT secrets, and database URLs. Found values are redacted in the output.
Does Ultraship replace npm audit?
Ultraship runs npm audit (or pnpm audit / yarn audit) as part of its security scan, plus adds secret scanning, OWASP pattern detection, HTTP header checking, and unused dependency detection. It's a superset of npm audit. If you are unfamiliar with the technical debt that accumulates from skipping security checks, the glossary definition explains why it compounds faster than most founders expect.
Is Ultraship safe to use?
Yes. Ultraship has zero telemetry, 1 dependency, SSRF protection on all HTTP tools, and no shell injection vectors. It runs entirely locally and never sends data anywhere. For solo founders shipping AI-powered MVPs, having automated secret scanning as part of every commit cycle is non-negotiable. Use the AI Readiness Assessment to identify other security gaps in your current development workflow.
Secure Your Code
Security auditing pairs naturally with the TDD workflow guide — disciplined testing plus automated scanning is the combination that catches issues before they reach production. For AI integration projects in particular, where agents have access to databases and external APIs, security scanning is mandatory before any production deployment.
claude plugin add ultraship
/security
Build With an AI-Native Agency
Free: 14-Day AI MVP Checklist
The exact checklist we use to ship production-ready MVPs in 2 weeks. Enter your email to download.
Free Estimate in 2 Minutes
Already know your scope? Book a Fixed-Price Scope Review