feat: add /learn security — post-deploy live security scanner#9
Merged
Conversation
New module (.claude/commands/learn/security.md) that scans a live URL for real vulnerabilities — file exposure, auth gaps, missing headers, HTML injection, rate limiting, and secret leakage. Key design decisions: - Accepts a URL argument (/learn security https://...) so checks run against the running app, not just source code — same approach that caught real issues in a student's mood-tracker deployment - Phase A runs curl-based HTTP checks (files served, headers, auth endpoints, /config leakage) before asking the learner anything - Phase B asks only 2 targeted questions based on live findings - Added as Step 7 in deploy.md (after the live URL exists, not before) - Routing added to learn.md for /learn security [url] Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
מה זה
מודול חדש
/learn securityשסורק אפליקציה חיה לאחר פריסה ומלמד את הלומד על כל פרצה שנמצאת.הקשר
תלמיד בנה אפליקציית מעקב מצב רוח ופרסם אותה. סקירת אבטחה שנעשתה אחרי הפריסה מצאה 8 פרצות — כולל endpoint ללא אימות שאיפשר לכל אחד לשכתב את היומן, וחשיפת קוד המקור דרך
express.static(__dirname). מודול זה מוסיף בדיקה שיטתית לתוך פלוא הלמידה.שינויים
.claude/commands/learn/security.md(חדש)סקירת אבטחה ב-5 שלבים:
~/skill-tutor-tutorials/progress/security-[project].md.claude/commands/learn/deploy.mdנוסף Step 7 בסוף — אחרי שיש URL חי, הלומד מוזמן להריץ
/learn security [URL]. הסיבה לסוף (ולא אמצע): רוב הבדיקות דורשות אפליקציה שרצה..claude/commands/learn.mdנוסף routing לפקודות
securityו-security https://....למה post-deploy ולא pre-deploy
בדיקות קוד בלבד מפספסות:
/configחושף בפועלכל הפרצות שנמצאו בתלמיד נגלו דרך URL חי, לא קריאת קוד.
Test plan
/learn security https://mood-tracker-gkzt.onrender.com— מריץ curl checks ומציג ממצאים/learn securityללא URL — מבקש URL לפני שממשיך/learn deploy— Step 7 מופיע בסוף עם הצעה להריץ security/learn security https://valid-urlמוצא קבצים חשופים אם יש🤖 Generated with Claude Code