## https://sploitus.com/exploit?id=3AC39597-A87D-5DEB-B1D7-28AA41170EC8
# Vulnetix Claude Code Plugin
Vulnerability intelligence for Claude Code โ scans dependencies on commit, searches packages for risk data, analyzes exploits, and proposes fixes via the Vulnetix VDB API.
## Features
### ๐ช Pre-Commit Vulnerability Scanning
Automatically scans staged dependency manifest files when you run `git commit` commands. The hook:
- Detects 15+ manifest types (npm, Python, Go, Rust, Maven, etc.)
- Scans for known vulnerabilities using Vulnetix VDB
- Reports vulnerability counts by severity (critical/high/medium/low)
- **Never blocks commits** โ informational only
### ๐ Three Interactive Skills
#### 1. `/vulnetix:package-search `
Search for packages across ecosystems and assess security risk before adding them as dependencies.
**Example:**
```
/vulnetix:package-search express
```
**What it does:**
- Detects your repository's ecosystems (npm, PyPI, Maven, etc.)
- Searches the Vulnetix package database
- Presents vulnerability counts, max severity, and Safe Harbour scores
- Proposes concrete dependency addition with exact manifest edits
- Suggests alternatives if needed
#### 2. `/vulnetix:exploits `
Analyze exploit intelligence for a vulnerability (CVE, GHSA, etc.) against your repository.
**Example:**
```
/vulnetix:exploits CVE-2021-44228
```
**What it does:**
- Fetches public exploits (PoCs, Metasploit modules, etc.)
- Retrieves CVSS, EPSS, and CISA KEV status
- Checks if your dependencies are affected
- Analyzes exploit reachability (static analysis only โ never executes code)
- Provides exploitability rating (CRITICAL/HIGH/MEDIUM/LOW/N/A)
- Recommends `/vulnetix:fix` if actionable
#### 3. `/vulnetix:fix `
Get fix intelligence and propose concrete remediation steps for your repository.
**Example:**
```
/vulnetix:fix CVE-2021-44228
```
**What it does:**
- Fetches fix data (version bumps, patches, workarounds)
- Identifies affected dependencies in your manifest files
- Proposes exact edits with version bumps
- Assesses breaking change risk
- Suggests test commands and re-scanning to verify the fix
---
## Prerequisites
### 1. Install the Vulnetix CLI
The Vulnetix CLI must be installed before using this plugin. Choose your preferred installation method:
**Homebrew (macOS/Linux):**
```bash
brew tap vulnetix/tap
brew install vulnetix
```
**Scoop (Windows):**
```powershell
scoop bucket add vulnetix https://github.com/Vulnetix/scoop-bucket
scoop install vulnetix
```
**Nix:**
```bash
nix profile install github:Vulnetix/cli
```
**Go Install:**
```bash
go install github.com/vulnetix/cli@latest
```
**Binary Download:**
Download the appropriate binary for your platform from the [releases page](https://github.com/Vulnetix/cli/releases/latest):
```bash
# Linux AMD64
curl -L https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-linux-amd64 -o vulnetix
chmod +x vulnetix
# macOS (Intel)
curl -L https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-darwin-amd64 -o vulnetix
chmod +x vulnetix
# macOS (Apple Silicon)
curl -L https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-darwin-arm64 -o vulnetix
chmod +x vulnetix
```
For Windows PowerShell:
```powershell
Invoke-WebRequest -Uri "https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-windows-amd64.exe" -OutFile "vulnetix.exe"
```
**See [CLI documentation](https://github.com/Vulnetix/cli) for all installation methods and platform support.**
### 2. Authenticate with Vulnetix
```bash
vulnetix auth login
```
This will open a browser window for authentication. After logging in, verify your connection:
```bash
vulnetix vdb status
```
You should see:
```
โ API Status: healthy
โ Authenticated: true
```
---
## Installation
### Install from GitHub
```bash
/plugin marketplace add Vulnetix/claude-code-plugin
/plugin install vulnetix@vulnetix-plugins
```
### Verify Installation
Check that the plugin is loaded:
```bash
/plugins
```
You should see `vulnetix` in the list.
Check that hooks are registered:
```bash
/hooks
```
You should see the `PreToolUse` hook for Bash commands.
---
## Usage
### Pre-Commit Scanning (Automatic)
The hook activates automatically when you use `git commit` commands. No configuration needed.
**Example workflow:**
1. Stage files with changes to dependencies:
```bash
git add package.json package-lock.json
```
2. Commit:
```bash
git commit -m "Update dependencies"
```
3. Claude will show a system message if vulnerabilities are found:
```
๐ Vulnetix scan found 5 vulnerabilities in staged dependencies:
2 high, 3 medium (in: package.json, package-lock.json).
Consider reviewing with `/vulnetix:fix ` before committing.
```
4. The commit proceeds regardless (informational only).
### Skills (Manual Invocation)
#### Search for a Package
```
/vulnetix:package-search lodash
```
Claude will:
1. Detect your repository's ecosystems
2. Search for matching packages
3. Show vulnerability counts and risk scores
4. Propose adding the safest version
5. Ask if you want to apply the change
#### Analyze Exploits
```
/vulnetix:exploits CVE-2024-12345
```
Claude will:
1. Fetch exploit intelligence (PoCs, Metasploit, etc.)
2. Check if your dependencies are affected
3. Assess exploitability rating
4. Recommend next steps
#### Get Fix Intelligence
```
/vulnetix:fix GHSA-xxxx-yyyy-zzzz
```
Claude will:
1. Fetch fix data (version bumps, patches)
2. Show exact manifest edits
3. Assess breaking change risk
4. Ask if you want to apply the fix
5. Suggest testing and re-scanning
---
## Troubleshooting
### Hook Not Triggering
**Check plugin status:**
```bash
/plugins
```
Ensure `vulnetix` is listed and enabled.
**Check hook registration:**
```bash
/hooks
```
You should see a `PreToolUse` hook for Bash commands.
### "API unavailable or not authenticated" Message
Run:
```bash
vulnetix vdb status
```
If authentication failed:
```bash
vulnetix auth login
```
If the API is unhealthy, check your internet connection.
### Skill Commands Not Working
Ensure the skill is invoked correctly:
```
/vulnetix:package-search
/vulnetix:exploits
/vulnetix:fix
```
**Not:**
```
/vulnetix package-search โ (missing colon)
```
### Hook Scanning Takes Too Long
The hook has a 120-second timeout. If scans exceed this:
1. Reduce the number of staged manifest files
2. Commit manifest files separately
3. Disable the hook temporarily: `/plugin disable vulnetix`
---
## Supported Ecosystems
The plugin supports 15+ dependency ecosystems:
| Ecosystem | Manifest Files |
|-----------|----------------|
| **npm** | `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
| **Python** | `requirements.txt`, `Pipfile.lock`, `poetry.lock`, `uv.lock` |
| **Go** | `go.mod`, `go.sum` |
| **Rust** | `Cargo.lock` |
| **Ruby** | `Gemfile.lock` |
| **Maven** | `pom.xml` |
| **Gradle** | `gradle.lockfile` |
| **PHP** | `composer.lock` |
---
## Privacy & Security
- **No code is sent to Vulnetix servers** โ only dependency names and versions
- Manifest files are scanned locally using the Vulnetix CLI
- PoC exploits are **never executed** โ static analysis only
- All API calls are authenticated and use HTTPS
---
## Contributing
This plugin is part of the [Vulnetix organization](https://github.com/Vulnetix).
Report issues at [github.com/Vulnetix/claude-code-plugin/issues](https://github.com/Vulnetix/claude-code-plugin/issues).
---
## License
Apache-2.0
---
## Resources
- **Vulnetix CLI Documentation:** [docs.cli.vulnetix.com](https://docs.cli.vulnetix.com)
- **CLI Repository:** [github.com/Vulnetix/cli](https://github.com/Vulnetix/cli)