Claude Code skills for application security at Bitwarden. Generic AI coding assistance doesn't know our scanner toolchain, triage workflows, or threat modeling practices. These skills keep Claude focused on how we secure software here.
This plugin provides specialized skills for security engineering tasks — from triaging scanner findings and threat modeling to conducting multi-agent security code reviews. Skills can be invoked individually or orchestrated together for comprehensive coverage across code, dependencies, secrets, and architecture.
| Skill | What It Does |
|---|---|
triaging-security-findings |
Triage Checkmarx, SonarCloud, and Grype findings via GitHub Advanced Security API. Includes finding state rules, false positive protocol, and fix patterns. |
threat-modeling |
Generate security definitions, data flow diagrams, and threat catalogs using STRIDE. Follows Bitwarden's 4-phase AppSec engagement model. |
analyzing-code-security |
Security code review against OWASP Web/API/Mobile Top 10, CWE Top 25. Step-by-step review workflow with adversarial mindset guidance. |
reviewing-dependencies |
Dependabot triage, Grype scanning, transitive dependency risk analysis. NuGet and npm platform-specific guidance. |
detecting-secrets |
Hardcoded credential detection with context-aware analysis. GitHub secret scanning integration, Azure Key Vault remediation. |
reviewing-security-architecture |
Architecture-level review for authentication, authorization, encryption, trust boundaries, and cryptographic patterns. |
perform-security-review |
Multi-agent security code review with 4 specialized agents, two-axis Severity × Confidence scoring, GHAS scan evidence, and flexible output (chat, file, or GitHub Actions). |
Install the plugin and invoke the agent:
Use the bitwarden-security-engineer:bitwarden-security-engineer agent to triage the open Checkmarx findings on this PR.
Use the bitwarden-security-engineer:bitwarden-security-engineer agent to create a threat model for the new Send feature.
Use the bitwarden-security-engineer:bitwarden-security-engineer agent to review this code for OWASP Top 10 vulnerabilities.
External resources that informed each skill. Useful for maintainers updating skill content when upstream sources change.
- Security Definitions — Official vocabulary and terminology
- Security Principles — P01-P06 foundation principles
- Security Requirements — VD/EK/AT/SC/TC requirement categories
- Threat Modeling Manifesto
- Threat Modeling Guide for Software Teams
- OWASP Threat Modeling Process
- Checkmarx Triage Documentation
- SonarCloud Documentation
- GitHub Code Scanning API
- GitHub Dependabot API
- OWASP Top Ten
- OWASP API Security Top 10
- OWASP Mobile Top 10 2024
- CWE Top 25 Most Dangerous Software Weaknesses
- OWASP Code Review Guide
- GitHub Dependabot Documentation
- Grype GitHub Repository
- OWASP Dependency-Check
- npm Security Best Practices