Shieldbot: Open-Source Security Scanner Plugin for Claude Code
What Shieldbot Does
Shieldbot is an open-source security scanner that runs directly inside Claude Code as a plugin. It eliminates the need to switch between your editor and separate security tools by integrating scanning functionality into the development environment.
Installation and Usage
Install with these commands:
/plugin marketplace add BalaSriharsha/shieldbot
/plugin install shieldbot
/shieldbot .You can also interact with it naturally using commands like "scan this repo for security issues" or "check my dependencies for CVEs" and the agent will handle the request.
Scanner Integration
The tool runs six scanners in parallel:
- Semgrep (5,000+ community rules covering OWASP Top 10, CWE Top 25, injection, XSS, SSRF)
- Bandit (Python security)
- Ruff (Python quality/security)
- detect-secrets (finds API keys, tokens, passwords in source code)
- pip-audit (Python dependency CVEs)
- npm audit (Node.js CVEs)
Results Processing
Findings get deduplicated across scanners, so the same bug reported by multiple tools (like Semgrep and Bandit) appears only once. Claude then synthesizes everything into a prioritized report that includes:
- Risk score
- Executive summary
- Specific code fixes
- Identification of likely false positives
Real-World Testing
The developer first ran Shieldbot on itself, where it caught a Jinja2 XSS vulnerability in the HTML reporter that had been missed. The scan resulted in one real finding and zero false positives on secrets detection.
CI/CD Integration
Shieldbot also works as a GitHub Action for CI pipelines:
- uses: BalaSriharsha/shieldbot@mainFindings appear in GitHub's Security tab via SARIF output.
Privacy and Architecture
Everything runs locally with no code leaving your machine. The MCP server pipes scanner results to Claude Code over stdio.
Project Details
The project is MIT licensed and available on GitHub at https://github.com/BalaSriharsha/shieldbot. The developer is seeking feedback, particularly on what additional scanners or report features users would want added.
📖 Read the full source: r/ClaudeAI
👀 See Also
iai-mcp: Local daemon gives Claude persistent memory across sessions with 99% recall
iai-mcp is an open-source local daemon that captures every Claude conversation, organizes it into three memory tiers, and feeds context back on new sessions. Achieves >99% verbatim recall, retrieval under 100ms, and session-start cost under 3,000 tokens.
Four ClawHub Skills for Real-Time Search Data in AI Agents
Four ClawHub skills provide structured search capabilities for AI agents: Google (web, news, images, maps), Amazon (product search across 12 marketplaces), Walmart (product search with delivery filters), and YouTube (video search with transcripts). Install via clawhub install commands with one API key.
Wisepanel MCP Server Enables Multi-LLM Deliberation in Claude Code and Cursor
Wisepanel released an MCP server that runs multi-agent deliberations directly from Claude Code, Cursor, or any MCP client, using a divergent context enhancement system with ChatGPT, Claude, Gemini, and Perplexity models.
bunx ccusage Shows $18,450 in Credits Burned — Flat Plans Absorb the Cost
A user on r/ClaudeAI ran bunx ccusage and discovered $18,450 in credits used in May — 248M input tokens, 42M output tokens, 21.7B with cache reads — while paying only €400/month flat-rate for Claude Code and Codex.