챗봇을 넘어서: Claude Code가 보안을 단일 명령 워크플로로 전환하는 방법

Repository: https://github.com/ch0ks/hackarandas-claude-toolbelt Every seasoned DevSecOps lead knows the “security tax”: the grinding friction between a high-velocity engineering team and a security team buried under vulnerability fatigue. We’ve all seen the cycle: a static scanner dumps a thousand-line PDF of potential leaks, a developer spends days triaging what actually matters, and then comes a messy stream of manual remediation PRs that often break the “vibe” of the codebase. In that triage-to-remediation gap, security posture quietly decays. Claude Code flips the script. It’s not just a chatbot; it’s an agentic assistant that can run a sophisticated, end-to-end security pipeline directly from your terminal. By shifting the focus from “tools that find problems” to “agents that solve them,” Claude Code moves the signal-to-noise ratio back in favor of the defender. At first glance, typing / in Claude Code feels like using a standard CLI. But there’s a subtle, important distinction between a “command” and a “skill.” Commands are hardcoded, fixed-logic operations—administrative tools like /clear or /config that don’t involve AI reasoning. Skills, though, are something else entirely. They are prompt-based capabilities defined in Markdown files, effectively giving Claude a “playbook” of instructions. A skill doesn’t just run a script; it can spawn sub-agents, invoke specialized tools, and orchestrate multi-step workflows across your codebase and infrastructure. The real power comes from chaining three specialized skills into an end-to-end security pipeline: /security-code-review Orchestrates a full audit by combining Semgrep Pro’s interprocedural taint analysis with a manual-style vulnerability assessment. It produces a formal report covering injection risks, auth flaws, cryptographic issues, dependency risks, and OWASP Top 10 (2021)-style coverage. /security-iac-triage Once findings are surfaced, this skill triages them by grounding CVSS 4.0 scores in your actual Infrastructure-as-Code (Terraform, Kubernetes, CloudFormation, Docker Compose, Azure Pipelines). It answers the critical question: Is this vulnerability actually exposed to the internet, or is it sealed behind internal network rules? /security-vibe-patch The final step is remediation. This skill reads the security report and generates minimal, precise patches. Following the “Vibe Security Patching” methodology, it makes the smallest possible change to fix the bug—without refactoring your entire codebase or rewriting comments. Typical AI tools give you isolated snippets. Claude Code, by contrast, orchestrates an end-to-end “Agentic Pipeline” using these three skills. When you run /security-code-review , Claude acts as an Expert Security Engineer. It doesn’t just invoke Semgrep Pro; it layers manual-style analysis on top, performing interprocedural taint-tracing across six critical classes: - Injection & taint flows (e.g., HTTP headers, cookies, DB results flowing to dangerous sinks). - Authentication & authorization (IDOR, JWT algorithm confusion, broken access-control patterns). - Secrets & sensitive data (hardcoded credentials, PII exposure). - Cryptography (weak algorithms, timing-vulnerable comparisons). - OWASP Top 10 (2021)-style coverage. - Dependency risks (deprecated or vulnerable imports). All artifacts—SAST reports, IaC mappings, and patch diffs—are centralized in a /security-review/ directory at the repo root, so each stage of the pipeline reads the verifiable output of the previous one. The biggest credibility killer for AI security reports is the “unreachable sink”—flagging a critical vulnerability in a service that isn’t even internet-facing. Claude Code eliminates this noise via /security-iac-triage . Claude doesn’t guess at severity. Instead, it hunts through your Terraform, Kubernetes, Docker Compose, CloudFormation, and Azure Pipeline files to surface deployment signals and map them directly to CVSS 4.0 vectors like Attack Vector (AV), Privileges Required (PR), and Attack Complexity (AC). Key signals include: - Network exposure: Ingress rules ( 0.0.0.0/0 ), internet-facing load balancers, mapped host ports. - Auth controls: IAM roles, Cognito-style identity providers, WAF-protected endpoints (which increase AC). - Secrets management: Distinguishing weak patterns (e.g., base64-encoded K8s secrets) from strong providers (AWS Secrets Manager, HashiCorp Vault). You also control the team’s risk posture via a Scoring Posture: | Posture | When to Use | Assumption for Unknowns | |---|---|---| | Strict | Compliance audits, pen-test prep | Assume worst-case for all unknowns | | Standard | Sprint reviews, pre-merge checks | Infer from IaC context | | Lenient | Internal tooling, early-stage projects | Absence of evidence = low risk | This ensures different projects can apply the same pipeline at different risk dials, without sacrificing rigor. Typical AI remediation can lead to “refactoring sprawl”—rewriting an entire class to fix a single nu