Security work is thankless until it isn't. Nobody notices when your IAM policies are correct, your secrets are properly managed, and your dependencies don't have known CVEs. They notice when any of those things fail. These skills cover the practical side of application and infrastructure security: access control, container hardening, dependency scanning, compliance frameworks, and the network-level decisions that keep attackers out.
Key takeaway
ClaudeVault's security skills give Claude Code structured workflows for the application and infrastructure security decisions that most teams defer until something breaks — IAM policy design with least-privilege analysis, secrets rotation through HashiCorp Vault, container image scanning with Trivy and Snyk, SBOM generation for EU Cyber Resilience Act compliance, API gateway hardening, and the dependency vulnerability triage that keeps known CVEs out of production builds.
When a production deployment has IAM policies that were copied from a tutorial and never scoped down to least privilege
When secrets are stored in environment variables or config files instead of a dedicated vault with rotation schedules
When the team ships container images without scanning them and has no SBOM to hand auditors during compliance reviews
When dependency vulnerability alerts pile up in GitHub and nobody knows which ones are actually reachable in the running application
A Claude Code security pass layers these skills from code-level review outward to infrastructure boundaries, so vulnerabilities caught early do not compound into architecture-level exposures.
Start with the security reviewer. Claude walks the codebase against the OWASP Top 10:2025 — injection, broken access control, security misconfiguration, the two new supply chain and exceptional condition categories — and flags findings with severity and remediation steps, not just line numbers.
The IAM policy designer analyzes AWS, GCP, or Azure policies for unused permissions, wildcard grants, and cross-account access paths. Claude outputs scoped-down policies that follow least-privilege principles and flags service accounts that have not been rotated in 90-plus days.
Use the container security auditor to scan images with Trivy or Snyk, generate a CycloneDX SBOM, and apply VEX filtering so the team focuses on vulnerabilities that are actually reachable — not every CVE in the base image.
The secrets management advisor migrates hardcoded credentials into HashiCorp Vault or AWS Secrets Manager, sets rotation schedules, and writes the environment variable mapping so application code never sees raw secrets.
Finally, the dependency vulnerability advisor sorts Dependabot and Snyk alerts by reachability — whether the vulnerable function is actually called in your dependency graph — cutting alert noise by 30 to 70 percent and surfacing the patches that matter this week.
Outcome
A codebase reviewed against current OWASP categories, IAM policies scoped to least privilege, container images scanned with an auditable SBOM, secrets managed through a vault, and dependency alerts triaged by actual exploitability.
| Skill | Best for | Complexity | Primary use case |
|---|---|---|---|
| Security Reviewer | Code-level vulnerability audits | Advanced | OWASP Top 10 analysis across application code |
| Secrets Management Advisor | Credential hygiene and rotation | Intermediate | Vault integration, rotation schedules, environment variable mapping |
| IAM Policy Designer | Cloud access control | Advanced | Least-privilege policies for AWS, GCP, and Azure |
| Compliance Advisor | Regulatory frameworks and audits | Advanced | SOC 2, HIPAA, GDPR, and PCI DSS compliance posture |
| Container Security Auditor | Image scanning and SBOM | Intermediate | Trivy and Snyk scanning with CycloneDX output |
| Env Config Advisor | Environment configuration drift | Beginner | Consistent config across dev, staging, and production |
| API Gateway Designer | API perimeter security | Intermediate | Rate limiting, authentication, and request validation at the gateway |
| Dependency Vulnerability Advisor | Alert triage and patching | Intermediate | Reachability-filtered CVE prioritization |
Designs environment variable strategies and secrets management setups. Use when cleaning up .env sprawl, adding startup validation, migrating to a vault, or ensuring config parity across environments. Zod validation, Doppler, SSM Parameter Store.
Design configuration systems that make missing-env-var outages and leaked secrets impossible, not just unlikely.
Performs OWASP-aware security audits of application code, tracing data flows across trust boundaries. Use when reviewing authentication logic, input handling, access control, or API endpoints for vulnerabilities. Injection, IDOR, SSRF, broken access control.
Review code as if a motivated attacker will eventually find every weakness. Do not assume "nobody would do that" — assume they will.
Designs API gateway layers with routing, auth, rate limiting, and request transformation. Use when consolidating cross-cutting concerns, exposing services to external consumers, or choosing between Kong, AWS API Gateway, and Envoy. Gateway architecture, throttling, BFF.
Design gateway layers that handle cross-cutting concerns — authentication, rate limiting, routing, transformation, and observability — so backend services stay focused on business logic.
Designs secrets lifecycle systems covering storage, distribution, rotation, and audit. Use when eliminating hardcoded credentials, planning rotation strategies, or migrating to a vault solution. Dynamic secrets, OIDC federation, dual-credential rotation, Vault, Doppler.
Design secrets management as if every secret will eventually leak — because statistically, they will.
Audits container images for vulnerabilities, excessive privileges, and supply chain risks. Use when reviewing base image selection, triaging CVEs by exploitability, or hardening runtime security. Trivy, Grype, distroless, SUID.
Audit container images assuming any vulnerability with a public exploit will be targeted within 72 hours of disclosure.
Triages dependency CVEs by exploitability and manages supply chain security. Use when overwhelmed by npm audit output, generating SBOMs, prioritizing patching, or preventing typosquatting attacks. Dependabot, Renovate, reachability analysis.
Manage dependency vulnerabilities as a continuous process. The goal is not zero vulnerabilities (impossible with transitive dependencies) — it is a managed posture where every known vulnerability has
Designs least-privilege IAM policies, role hierarchies, and service accounts for cloud environments. Use when scoping AWS IAM roles, configuring OIDC federation for CI/CD, or running quarterly access audits. Permission boundaries, SCPs, Workload Identity.
Design IAM policies as if every credential will eventually be compromised.
Maps compliance frameworks to concrete technical controls. Use when implementing SOC 2, HIPAA, GDPR, or PCI-DSS requirements, generating audit evidence, or identifying cross-framework control overlap. Regulatory, access reviews, encryption.
Translate regulatory frameworks into concrete engineering tasks.
Yes. The security reviewer skill walks application code against the OWASP Top 10:2025 categories — injection, broken access control, security misconfiguration, and the two new 2025 additions for supply chain failures and exceptional condition handling. Claude flags findings with severity ratings and specific remediation steps, not just line numbers.
The secrets management advisor identifies hardcoded credentials, API keys, and tokens in the codebase, then generates a migration plan to HashiCorp Vault or AWS Secrets Manager. Claude writes rotation schedules and environment variable mappings so application code references secrets by name, never by value.
The 2025 revision shifted from symptoms to root causes. Security misconfiguration moved from fifth to second position. Two categories were added: software supply chain failures and mishandling of exceptional conditions. Server-side request forgery was folded into broken access control. Every tested application showed at least one misconfiguration.
Yes. The container security auditor skill runs Trivy or Snyk scans against container images, generates an SBOM in CycloneDX or SPDX format, and applies VEX filtering to separate reachable vulnerabilities from noise. The output meets EU Cyber Resilience Act requirements for software inventory documentation.
Non-human identities outnumber employees 100-to-1 in most enterprises and are predicted to become the primary cloud breach vector. The IAM policy designer and secrets management advisor handle this by enforcing short-lived credentials, least-privilege scoping, and automated rotation through a centralized vault.
Trivy is free and broadly compatible but requires self-managed infrastructure. Snyk adds reachability analysis that reduces alert noise by 30 to 70 percent. Docker Scout integrates natively with Docker Desktop and pulls vulnerability data from a continuously updated API. Most teams combine two: one in CI and one in the developer workflow.