Code Guardian: Automated Multi-Phase Security Scanner

Do you fully trust your app's security? This skill turns Claude Code into a dedicated cybersecurity engineer. It scans your entire codebase, dynamically splits the scan into phases based on size, and generates detailed reports with AI-ready fix checklists for every vulnerability.

Smart Scan & Sizing

Instead of a blind scan, the AI first analyzes the entire project structure (counting files/folders). Based on this volume, Claude Code dynamically decides the number of scan phases needed: * Small projects: 1–2 phases. * Medium projects: 3–4 phases. * Large projects: 5–6 phases. Each phase explicitly targets a specific layer (e.g., Authentication, API routes, Database) to ensure zero blind spots.

Actionable Phase Reports

After completing each phase, Claude generates a dedicated Markdown file (e.g., scan-phase-1-auth-layer.md). Each file contains: 1. Clear Scope: What was scanned in this phase. 2. Vulnerability List: Categorized by severity (Critical, High, Medium, Low). 3. Execution Plan (The Core): For every issue, a detailed, highly technical fix checklist is written. These are designed specifically to be handed over to any AI Agent (like Lovable or Cline) for immediate execution.

The Executive Summary

Once all phases conclude, the final scan-summary.md file is generated. This acts as your master dashboard. It aggregates all discovered vulnerabilities across the entire project, sorting them strictly by severity. Next to each issue, it references the exact phase file containing the fix instructions, making task prioritization and delegation incredibly efficient.

Prompt

Skill Name: security-scan

Create a skill for Claude Code that performs a multi-phase security scan on full-stack web app codebases. When triggered, Claude should first scan the project structure to count all folders and files, then automatically determine how many scan phases are needed based on project size (smaller projects get 1–2 phases, medium projects get 3–4, large projects get 5–6 — Claude decides the exact threshold based on what it sees).
Each phase should cover a specific combination of: a code domain (e.g. authentication, API routes, database layer, frontend, environment config, third-party integrations) AND a category of security vulnerabilities relevant to that domain (e.g. injection attacks, broken access control, exposed secrets, insecure dependencies, XSS, CSRF, improper error handling).
After completing each phase, Claude must generate a .md file named after that phase (e.g. scan-phase-1-auth-layer.md). Each file must contain: a brief description of what was scanned, a list of identified security issues with severity level (Critical / High / Medium / Low), and for each issue — a detailed checklist of fix steps written clearly enough to be handed directly to an AI agent for execution.
After all phases are complete, generate a final scan-summary.md file that lists all discovered issues across all phases, sorted by severity, with a reference to which phase file contains the detailed fix steps.
The skill targets full-stack web applications. Claude should use general security best practices and common vulnerability knowledge (no specific framework required) and adapt its analysis to whatever stack it detects in the codebase.