Installing a security scanner usually means configuring YAML files, wiring up CI pipelines, and tuning rules to stop the false-positive flood. Vulniq skips all of that. It's a Claude Code skill - meaning you install it with a single command and it runs inside your existing Claude Code session, combining Claude's code analysis with CLI tools like npm audit and Git history inspection.
The scanner covers 10 security categories: hardcoded secrets, XSS vulnerabilities, missing security headers, PII exposure, authentication issues, dependency vulnerabilities, OWASP Top 10 patterns, CORS misconfigurations, error handling leaks, and supply chain risks. Each category starts with a score of 100 and gets dinged based on severity - critical findings cost 30 points, high-severity findings cost 15, medium costs 5, and low costs 2. The final output is a letter grade from A to F.
The interesting part is how it handles false positives. Rather than just pattern-matching and flagging every string that looks like a key, Vulniq reads surrounding context before reporting a finding. If a string is clearly a placeholder or test fixture, it should get filtered out. You can also suppress known false positives through configuration, and it tracks scan history so you can see how your security posture changes over time.
Output comes in two formats: SARIF 2.1.0 JSON (the standard format that integrates with GitHub code scanning, VS Code, and other security dashboards) and a human-readable Markdown report. Both land in a ./reports/ directory with timestamps.
The tool is limited to JavaScript and TypeScript codebases for now, and it requires zero configuration to get started. Install with npx skills add JakubKontra/skills --skill vulniq, run it, and you get a security audit without leaving your coding session. For solo developers and small teams who don't have a dedicated security pipeline, this fills a real gap - though it's no substitute for a proper penetration test on production systems.