Systematic DevSecOps Analysis for Claude Code β 5-layer security review with standardized severity-tagged alerts
π Quick Start β’ π Documentation β’ π§ͺ Test Results β’ π Report Bug
Complete rebuild with TDD methodology:
- β Systematic 5-layer review enforced (no ad-hoc analysis)
- β Standardized severity-tagged alerts (CRITICO/ALTO/MEDIO/BAJO)
- β Proactive scope expansion beyond user request
- β Token-efficient (~450 words, 60% reduction)
- β Pressure-tested with time/authority/exhaustion scenarios
- β Full test documentation included
Observed in manual evaluation: 6-8 categorized alerts vs 1-2 ad-hoc findings on the same test scenarios. These are qualitative comparisons, not automated benchmarks.
See FINAL-REPORT.md for the full evaluation notes.
Every security review follows this structured methodology:
- Code Validation β Input validation, injection (SQL/XSS/Command), auth/authz, error handling
- Dependencies β CVEs, outdated packages, unmaintained libraries, transitive dependencies
- Secrets & PII β Hardcoded API keys, tokens, certificates, exposed personal data
- CI/CD Pipeline β Branch restrictions, secret exposure, security gates, rollback plans
- Infrastructure β Network exposure, IAM/RBAC permissions, encryption, security groups
No layer skipped β even "frontend-only" code triggers full review.
Every finding includes:
| Campo | Valor |
|---|---|
| Severidad | π΄ CRITICO | π ALTO | π‘ MEDIO | π’ BAJO |
| ID | CD-SEC-XXX (sequential) |
| Componente | file.js:line or resource name |
| DescripciΓ³n | What + why it's a risk |
| Evidencia | Code snippet or config excerpt |
| RemediaciΓ³n | Specific fix steps |
βββββββββββββββββββββββββββββββββββββββββββββββ
β π ESTADO DE SEGURIDAD β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β Nivel de riesgo: π΄ CRITICO β
β Alertas totales: 8 β
β β’ CrΓticas: 2 β
β β’ Altas: 3 β
β β’ Medias: 2 β
β β’ Bajas: 1 β
βββββββββββββββββββββββββββββββββββββββββββββββ€
β β οΈ RECOMENDACIΓN: β
β BLOQUEAR despliegue hasta resolver β
β hallazgos crΓticos y altos. β
βββββββββββββββββββββββββββββββββββββββββββββββ
# Install from local directory
git clone https://github.com/DevCop95/cyhber-deploy.git
cd cyhber-deploy
cp -r skills/cyhber-deploy ~/.claude/skills/# Check skill is loaded
claude # Start Claude Code session
# Skill auto-triggers on: deploy, CI/CD, Terraform, auth, secrets, injectionSkill activates when you mention:
- Deploy: staging, production, release
- CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI
- IaC: Terraform, Kubernetes, Docker, Helm
- Cloud: AWS, GCP, Azure
- Security: auth, secrets, injection, SQL, XSS
- Review: "security review", "check this code"
@cyhber-deploy review this for production
Input:
app.post('/login', (req, res) => {
db.query(`SELECT * FROM users WHERE email='${req.body.email}'`);
});Output:
| Campo | Valor |
|---|---|
| Severidad | π΄ CRITICO |
| ID | CD-SEC-001 |
| Componente | api/auth.js:2 |
| DescripciΓ³n | SQL injection - user-controlled email concatenated into query |
| Evidencia | db.query(`SELECT * FROM users WHERE email='${req.body.email}'`) |
| RemediaciΓ³n | Use parameterized query: db.query('SELECT * FROM users WHERE email = ?', [req.body.email]) |
Input:
# .github/workflows/deploy.yml
- run: |
echo "API_KEY=${{ secrets.API_KEY }}" >> .env
cat .envOutput:
| Campo | Valor |
|---|---|
| Severidad | π΄ CRITICO |
| ID | CD-SEC-002 |
| Componente | .github/workflows/deploy.yml:3 |
| DescripciΓ³n | API key exposed in workflow logs via cat .env |
| Evidencia | cat .env prints secrets to logs accessible to all repo users |
| RemediaciΓ³n | Remove cat .env. Pass secrets via env vars: env: API_KEY: ${{ secrets.API_KEY }} |
Input:
resource "aws_security_group" "db" {
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 5432
to_port = 5432
}
}Output:
| Campo | Valor |
|---|---|
| Severidad | π΄ CRITICO |
| ID | CD-SEC-003 |
| Componente | terraform/main.tf:3 |
| DescripciΓ³n | Database exposed to entire internet via overly permissive security group |
| Evidencia | cidr_blocks = ["0.0.0.0/0"] allows connections from any IP |
| RemediaciΓ³n | Restrict to application subnet: cidr_blocks = ["10.0.1.0/24"] or use VPC peering |
A zero-dependency Python renderer turns findings into colored alert cards plus a final ESTADO DE SEGURIDAD panel β a visual recap of the scan, right in your terminal.
# See it instantly with the bundled demo
python tools/cyhber_report.py --demo
# Render your own findings (see schema in tools/findings.example.json)
python tools/cyhber_report.py findings.json
# Pipe from another tool
cat findings.json | python tools/cyhber_report.pyPreview:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π ESTADO DE SEGURIDAD β
β Objetivo: examples/vulnerable-api/server.js β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Nivel de riesgo: π΄ CRITICO β
β Alertas totales: 8 β
β β’ CRITICO 3 β
β β’ ALTO 3 β
β β’ MEDIO 1 β
β β’ BAJO 1 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β οΈ RECOMENDACIΓN: β
β BLOQUEAR despliegue β resolver crΓticos/altos β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Pure stdlib (no
pip install), works on Windows / macOS / Linux. - Auto-detects color; honors
NO_COLOR/FORCE_COLOR. - Exit code
1when the run should block (any π΄ or β₯3 π ),0otherwise β drop it straight into a CI gate.
Skill built following complete RED-GREEN-REFACTOR cycle:
- RED Phase: Baseline testing without skill (3 pressure scenarios)
- GREEN Phase: Skill enforcement verification (systematic 5-layer review)
- REFACTOR Phase: Edge case testing (frontend-only code)
| Metric | Baseline (No Skill) | With Skill |
|---|---|---|
| Issues found | 1-2 | 6-8 |
| Structure | Ad-hoc | 5-layer systematic |
| Output format | Freeform | Severity tables |
| Scope | Limited | Proactive expansion |
Numbers come from manual evaluation on the bundled test scenarios, not from an automated benchmark suite. Treat them as directional, not guaranteed.
Full documentation: tests/FINAL-REPORT.md
- SKILL.md β Complete skill specification
- secret-patterns.md β 40+ secret detection patterns
- FINAL-REPORT.md β TDD testing documentation
- Examples β Vulnerable and secure code samples
- tools/cyhber_report.py β Terminal report renderer (visual layer)
Built-in detection for:
- AWS keys (AKIA...), Azure, GCP service accounts
- GitHub tokens (ghp_, gho_, glpat-)
- Private keys (RSA, EC, OpenSSH, PGP)
- Database connection strings
- JWT tokens
- Slack/Discord webhooks
- Payment provider keys (Stripe, PayPal, Square)
See secret-patterns.md for complete list.
Contributions welcome! For major changes:
- Fork repo
- Create feature branch (
git checkout -b feature/improvement) - Follow TDD methodology (see tests/ for examples)
- Commit with conventional commits
- Push and open PR
DO NOT open public issues for vulnerabilities.
Email: yared.henriquezb@gmail.com
- SARIF output format for CI/CD integration
- Custom rule configuration (.cyhber-deploy.json)
- Multi-language support (Django, Flask, Spring Boot)
- GitHub Action for automated PR reviews
- VS Code extension
- Dashboard for security metrics over time
MIT License - see LICENSE
Author: DevCop95
Built with guidance from:
- Claude Code Superpowers - TDD methodology for skills
- Anthropic Claude - AI platform
Inspired by:
- Semgrep - SAST scanning
- Snyk - Dependency analysis
- TruffleHog - Secret detection
- OWASP - Security standards
- π Issues
- π¬ Discussions
- π§ Email: yared.henriquezb@gmail.com
- π¦ X/Twitter: @Devcop101
Cyhber Deploy provides static analysis and does not replace professional security audits or penetration testing. Use as complement to existing security practices.
Production-Ready β’ TDD-Tested β’ Open Source
β Star this repo if it helps your security workflow!