Production-oriented AI security skills for static analysis, threat modeling, remediation, security review, and serialization-focused audits.
eresus-sast-scanner is the core skill in the Eresus Security AppSec suite for AI coding agents such as OpenAI Codex and Claude Code. It is designed to help agents review source code with a structured, evidence-first security workflow instead of loose pattern matching.
The suite focuses on practical application security work:
- full-repository or targeted SAST scanning
- threat modeling for new features and services
- PR and diff-focused security review
- remediation of confirmed findings
- deep analysis of serialization and deserialization attack surface
Supported language families include Java, Python, JavaScript/TypeScript, PHP, and .NET.
| Skill | Primary Use |
|---|---|
eresus-sast-scanner |
Full-repo or targeted SAST scan across 34 vulnerability classes |
eresus-manual-security-audit |
Manual security code review with exploit-chain discovery, adversarial reasoning, and trust boundary analysis |
eresus-remediator |
Patch confirmed findings with root-cause-focused fixes |
eresus-pr-security-review |
Review PRs and changed files for newly introduced security issues |
eresus-threat-modeler |
Model attack paths, trust boundaries, and high-risk workflows before scanning or implementation |
eresus-serialization-review |
Deep review of deserialization, parser abuse, object mapping, and state-transfer risks |
eresus-variant-analysis |
GHSA/CVE variant analysis — find all instances of a known vulnerability pattern across the codebase |
eresus-codeql-heuristics |
Language-specific sink/source reference derived from CodeQL Community Packs query suites |
eresus-deser-audit |
Deserialization gadget chain knowledge and exploitation methodology for all major languages |
eresus-python-audit |
Python-specific audit with full Bandit B101-B704 coverage, Django/Flask/FastAPI checks, and ML attack surface |
eresus-php-audit |
PHP-specific audit with Kunlun-M CVI rules, POP chain discovery, and Laravel/WordPress/Symfony checks |
This suite is built around a simple principle: security findings should be tied to a believable exploit path.
Instead of stopping at suspicious strings, the core scanner pushes the agent to:
- identify attacker-controlled sources
- trace tainted data through the codebase
- verify that it reaches a dangerous sink
- challenge the finding with a Judge step to reduce false positives
- produce actionable remediation guidance
That makes it useful not only for vulnerability hunting, but also for patching, design review, and PR gating.
Recommended repository name: appsec-skills
# Interactive — prompts you to select your agent
npx @eresus/appsec-skills
# Direct — specify your agent
npx @eresus/appsec-skills --agent claude
npx @eresus/appsec-skills --agent codex
npx @eresus/appsec-skills --agent antigravity
npx @eresus/appsec-skills --agent cursor
# Install specific skills only
npx @eresus/appsec-skills --agent claude --skills sast,audit,threat
# Custom directory
npx @eresus/appsec-skills --dir /path/to/your/skills
# List available skills
npx @eresus/appsec-skills --list# Claude Code
git clone https://github.com/EresusSecurity/appsec-skills.git
cp -r appsec-skills/skills/eresus-sast-scanner/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-manual-security-audit/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-remediator/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-pr-security-review/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-threat-modeler/ ~/.claude/skills/
cp -r appsec-skills/skills/eresus-serialization-review/ ~/.claude/skills/
# OpenAI Codex
git clone https://github.com/EresusSecurity/appsec-skills.git
cp -r appsec-skills/skills/eresus-sast-scanner/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-manual-security-audit/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-remediator/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-pr-security-review/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-threat-modeler/ ~/.codex/skills/
cp -r appsec-skills/skills/eresus-serialization-review/ ~/.codex/skills/Copy the skill directories you want into your agent's skills folder:
# Claude Code
cp -r skills/eresus-sast-scanner/ ~/.claude/skills/
cp -r skills/eresus-manual-security-audit/ ~/.claude/skills/
cp -r skills/eresus-remediator/ ~/.claude/skills/
cp -r skills/eresus-pr-security-review/ ~/.claude/skills/
cp -r skills/eresus-threat-modeler/ ~/.claude/skills/
cp -r skills/eresus-serialization-review/ ~/.claude/skills/
# OpenAI Codex
cp -r skills/eresus-sast-scanner/ ~/.codex/skills/
cp -r skills/eresus-manual-security-audit/ ~/.codex/skills/
cp -r skills/eresus-remediator/ ~/.codex/skills/
cp -r skills/eresus-pr-security-review/ ~/.codex/skills/
cp -r skills/eresus-threat-modeler/ ~/.codex/skills/
cp -r skills/eresus-serialization-review/ ~/.codex/skills/| Goal | Recommended Skill |
|---|---|
| Audit a repository for security bugs | eresus-sast-scanner |
| Deep manual audit with exploit-chain discovery | eresus-manual-security-audit |
| Review a pull request or changed files | eresus-pr-security-review |
| Patch a confirmed vulnerability | eresus-remediator |
| Threat model a new feature or service | eresus-threat-modeler |
| Audit Jackson, Fastjson, YAML, XML, cookies, sessions, or queue payloads | eresus-serialization-review |
The main scanner skill follows a structured six-step process:
-
Understand scope
Determine whether the target is a file, module, endpoint, service, or full repository. -
Load relevant knowledge
Pull in the vulnerability knowledge files relevant to the language, framework, and attack surface. -
Trace source-to-sink flow
Track attacker-controlled input through transformations into sensitive operations. -
Check business logic and authorization
Look beyond injection bugs for IDOR, privilege issues, race conditions, token misuse, and trust-boundary problems. -
Judge every candidate finding
Re-check reachability, sanitization, framework protections, and exploitability before reporting. -
Report actionable findings
Output precise file locations, impact, evidence, and fix guidance.
The core scanner includes built-in knowledge for 34 vulnerability classes.
| File | Coverage |
|---|---|
sql_injection.md |
SQL Injection |
xss.md |
Cross-Site Scripting |
ssti.md |
Server-Side Template Injection |
nosql_injection.md |
NoSQL Injection |
graphql_injection.md |
GraphQL Injection / Introspection Abuse |
xxe.md |
XML External Entity |
rce.md |
Remote Code Execution / Command Injection |
expression_language_injection.md |
Expression Language Injection |
| File | Coverage |
|---|---|
idor.md |
Insecure Direct Object Reference |
privilege_escalation.md |
Privilege Escalation |
authentication_jwt.md |
JWT Weaknesses and Authentication Flaws |
default_credentials.md |
Hardcoded or Default Credentials |
brute_force.md |
Brute Force and Missing Rate Limiting |
business_logic.md |
Business Logic Flaws |
http_method_tamper.md |
HTTP Method Tampering |
verification_code_abuse.md |
Verification Code Abuse |
session_fixation.md |
Session Fixation |
| File | Coverage |
|---|---|
weak_crypto_hash.md |
Weak Cryptography, Weak Hashing, Weak Randomness |
information_disclosure.md |
Sensitive Information Disclosure |
insecure_cookie.md |
Insecure Cookie Flags |
trust_boundary.md |
Trust Boundary Violations |
| File | Coverage |
|---|---|
ssrf.md |
Server-Side Request Forgery |
path_traversal_lfi_rfi.md |
Path Traversal, LFI, RFI |
insecure_deserialization.md |
Insecure Deserialization |
arbitrary_file_upload.md |
Arbitrary File Upload |
jndi_injection.md |
JNDI Injection |
race_conditions.md |
Race Conditions and TOCTOU |
| File | Coverage |
|---|---|
csrf.md |
Cross-Site Request Forgery |
open_redirect.md |
Open Redirect |
smuggling_desync.md |
HTTP Request Smuggling / Desync |
denial_of_service.md |
Resource Exhaustion and Denial of Service |
cve_patterns.md |
High-Risk CVE-Style Code Patterns |
| File | Coverage |
|---|---|
php_security.md |
PHP-Specific Security Risks |
mobile_security.md |
Android and iOS Security Risks |
- Use
eresus-threat-modelerbefore auditing large features so the scan starts from the right trust boundaries. - Use
eresus-manual-security-auditfor depth-first adversarial review of security-critical components — auth, callbacks, middleware, tool execution, and trust boundaries. - Use
eresus-manual-security-auditwith the[TeachMe]token to train junior engineers on secure coding patterns while performing a real audit. - Use
eresus-pr-security-reviewduring code review to focus on newly introduced attack surface instead of re-auditing the whole repository. - Use
eresus-remediatorafter a confirmed finding to drive minimal, production-safe patches. - Use
eresus-serialization-reviewwhen the system relies on session blobs, queues, import/export features, or dynamic parser configuration. - Run more than one scan round for large codebases when you want better recall and more stable reporting.
Benchmark numbers are reference values and may vary by model configuration, prompt strategy, and available context.
4 Java benchmark projects were scanned in parallel using 4 agents with the full scanner workflow and Judge verification enabled.
| Project | Recall | Precision | F1 | TP | FN | FP |
|---|---|---|---|---|---|---|
| JavaSecLab | 1.000 | 0.958 | 0.979 | 23 | 0 | 1 |
| SecExample | 1.000 | 1.000 | 1.000 | 9 | 0 | 0 |
| VulnerableApp | 1.000 | 1.000 | 1.000 | 10 | 0 | 0 |
| verademo | 1.000 | 1.000 | 1.000 | 14 | 0 | 0 |
| Global | 1.000 | 0.982 | 0.991 | 56 | 0 | 1 |
| Project | Recall | Precision | F1 | TP | FN | FP |
|---|---|---|---|---|---|---|
| JavaSecLab | 0.957 | 1.000 | 0.978 | 22 | 1 | 0 |
| SecExample | 0.889 | 1.000 | 0.941 | 8 | 1 | 0 |
| VulnerableApp | 0.900 | 0.900 | 0.900 | 9 | 1 | 1 |
| verademo | 0.929 | 1.000 | 0.963 | 13 | 1 | 0 |
| Global | 0.929 | 0.981 | 0.954 | 52 | 4 | 1 |
appsec-skills/
├── README.md
├── LICENSE
├── package.json
├── assets/
│ ├── eresus-banner.svg
│ └── eresus-logo.svg
├── scripts/
│ └── install.mjs
└── skills/
├── eresus-sast-scanner/
│ ├── SKILL.md
│ └── references/
├── eresus-manual-security-audit/
│ └── SKILL.md
├── eresus-remediator/
│ └── SKILL.md
├── eresus-pr-security-review/
│ └── SKILL.md
├── eresus-threat-modeler/
│ └── SKILL.md
└── eresus-serialization-review/
└── SKILL.md
Maintained under the EresusSecurity GitHub organization:
Contributions that improve detection quality, reduce false positives, or strengthen language-specific coverage are welcome.
Apache License 2.0
