Share
## https://sploitus.com/exploit?id=3AC39597-A87D-5DEB-B1D7-28AA41170EC8
# Vulnetix Claude Code Plugin

Vulnerability intelligence for Claude Code โ€” scans dependencies on commit, searches packages for risk data, analyzes exploits, and proposes fixes via the Vulnetix VDB API.

## Features

### ๐Ÿช Pre-Commit Vulnerability Scanning

Automatically scans staged dependency manifest files when you run `git commit` commands. The hook:

- Detects 15+ manifest types (npm, Python, Go, Rust, Maven, etc.)
- Scans for known vulnerabilities using Vulnetix VDB
- Reports vulnerability counts by severity (critical/high/medium/low)
- **Never blocks commits** โ€” informational only

### ๐Ÿ” Three Interactive Skills

#### 1. `/vulnetix:package-search `

Search for packages across ecosystems and assess security risk before adding them as dependencies.

**Example:**
```
/vulnetix:package-search express
```

**What it does:**
- Detects your repository's ecosystems (npm, PyPI, Maven, etc.)
- Searches the Vulnetix package database
- Presents vulnerability counts, max severity, and Safe Harbour scores
- Proposes concrete dependency addition with exact manifest edits
- Suggests alternatives if needed

#### 2. `/vulnetix:exploits `

Analyze exploit intelligence for a vulnerability (CVE, GHSA, etc.) against your repository.

**Example:**
```
/vulnetix:exploits CVE-2021-44228
```

**What it does:**
- Fetches public exploits (PoCs, Metasploit modules, etc.)
- Retrieves CVSS, EPSS, and CISA KEV status
- Checks if your dependencies are affected
- Analyzes exploit reachability (static analysis only โ€” never executes code)
- Provides exploitability rating (CRITICAL/HIGH/MEDIUM/LOW/N/A)
- Recommends `/vulnetix:fix` if actionable

#### 3. `/vulnetix:fix `

Get fix intelligence and propose concrete remediation steps for your repository.

**Example:**
```
/vulnetix:fix CVE-2021-44228
```

**What it does:**
- Fetches fix data (version bumps, patches, workarounds)
- Identifies affected dependencies in your manifest files
- Proposes exact edits with version bumps
- Assesses breaking change risk
- Suggests test commands and re-scanning to verify the fix

---

## Prerequisites

### 1. Install the Vulnetix CLI

The Vulnetix CLI must be installed before using this plugin. Choose your preferred installation method:

**Homebrew (macOS/Linux):**
```bash
brew tap vulnetix/tap
brew install vulnetix
```

**Scoop (Windows):**
```powershell
scoop bucket add vulnetix https://github.com/Vulnetix/scoop-bucket
scoop install vulnetix
```

**Nix:**
```bash
nix profile install github:Vulnetix/cli
```

**Go Install:**
```bash
go install github.com/vulnetix/cli@latest
```

**Binary Download:**

Download the appropriate binary for your platform from the [releases page](https://github.com/Vulnetix/cli/releases/latest):

```bash
# Linux AMD64
curl -L https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-linux-amd64 -o vulnetix
chmod +x vulnetix

# macOS (Intel)
curl -L https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-darwin-amd64 -o vulnetix
chmod +x vulnetix

# macOS (Apple Silicon)
curl -L https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-darwin-arm64 -o vulnetix
chmod +x vulnetix
```

For Windows PowerShell:
```powershell
Invoke-WebRequest -Uri "https://github.com/Vulnetix/cli/releases/latest/download/vulnetix-windows-amd64.exe" -OutFile "vulnetix.exe"
```

**See [CLI documentation](https://github.com/Vulnetix/cli) for all installation methods and platform support.**

### 2. Authenticate with Vulnetix

```bash
vulnetix auth login
```

This will open a browser window for authentication. After logging in, verify your connection:

```bash
vulnetix vdb status
```

You should see:
```
โœ“ API Status: healthy
โœ“ Authenticated: true
```

---

## Installation

### Install from GitHub

```bash
/plugin marketplace add Vulnetix/claude-code-plugin
/plugin install vulnetix@vulnetix-plugins
```

### Verify Installation

Check that the plugin is loaded:

```bash
/plugins
```

You should see `vulnetix` in the list.

Check that hooks are registered:

```bash
/hooks
```

You should see the `PreToolUse` hook for Bash commands.

---

## Usage

### Pre-Commit Scanning (Automatic)

The hook activates automatically when you use `git commit` commands. No configuration needed.

**Example workflow:**

1. Stage files with changes to dependencies:
   ```bash
   git add package.json package-lock.json
   ```

2. Commit:
   ```bash
   git commit -m "Update dependencies"
   ```

3. Claude will show a system message if vulnerabilities are found:
   ```
   ๐Ÿ” Vulnetix scan found 5 vulnerabilities in staged dependencies:
   2 high, 3 medium (in: package.json, package-lock.json).
   Consider reviewing with `/vulnetix:fix ` before committing.
   ```

4. The commit proceeds regardless (informational only).

### Skills (Manual Invocation)

#### Search for a Package

```
/vulnetix:package-search lodash
```

Claude will:
1. Detect your repository's ecosystems
2. Search for matching packages
3. Show vulnerability counts and risk scores
4. Propose adding the safest version
5. Ask if you want to apply the change

#### Analyze Exploits

```
/vulnetix:exploits CVE-2024-12345
```

Claude will:
1. Fetch exploit intelligence (PoCs, Metasploit, etc.)
2. Check if your dependencies are affected
3. Assess exploitability rating
4. Recommend next steps

#### Get Fix Intelligence

```
/vulnetix:fix GHSA-xxxx-yyyy-zzzz
```

Claude will:
1. Fetch fix data (version bumps, patches)
2. Show exact manifest edits
3. Assess breaking change risk
4. Ask if you want to apply the fix
5. Suggest testing and re-scanning

---

## Troubleshooting

### Hook Not Triggering

**Check plugin status:**
```bash
/plugins
```

Ensure `vulnetix` is listed and enabled.

**Check hook registration:**
```bash
/hooks
```

You should see a `PreToolUse` hook for Bash commands.

### "API unavailable or not authenticated" Message

Run:
```bash
vulnetix vdb status
```

If authentication failed:
```bash
vulnetix auth login
```

If the API is unhealthy, check your internet connection.

### Skill Commands Not Working

Ensure the skill is invoked correctly:
```
/vulnetix:package-search 
/vulnetix:exploits 
/vulnetix:fix 
```

**Not:**
```
/vulnetix package-search   โŒ (missing colon)
```

### Hook Scanning Takes Too Long

The hook has a 120-second timeout. If scans exceed this:

1. Reduce the number of staged manifest files
2. Commit manifest files separately
3. Disable the hook temporarily: `/plugin disable vulnetix`

---

## Supported Ecosystems

The plugin supports 15+ dependency ecosystems:

| Ecosystem | Manifest Files |
|-----------|----------------|
| **npm** | `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
| **Python** | `requirements.txt`, `Pipfile.lock`, `poetry.lock`, `uv.lock` |
| **Go** | `go.mod`, `go.sum` |
| **Rust** | `Cargo.lock` |
| **Ruby** | `Gemfile.lock` |
| **Maven** | `pom.xml` |
| **Gradle** | `gradle.lockfile` |
| **PHP** | `composer.lock` |

---

## Privacy & Security

- **No code is sent to Vulnetix servers** โ€” only dependency names and versions
- Manifest files are scanned locally using the Vulnetix CLI
- PoC exploits are **never executed** โ€” static analysis only
- All API calls are authenticated and use HTTPS

---

## Contributing

This plugin is part of the [Vulnetix organization](https://github.com/Vulnetix).

Report issues at [github.com/Vulnetix/claude-code-plugin/issues](https://github.com/Vulnetix/claude-code-plugin/issues).

---

## License

Apache-2.0

---

## Resources

- **Vulnetix CLI Documentation:** [docs.cli.vulnetix.com](https://docs.cli.vulnetix.com)
- **CLI Repository:** [github.com/Vulnetix/cli](https://github.com/Vulnetix/cli)