CyberMoose — OWASP Security Scanner

Automated, multi-scanner security assessment for VS Code. Run a single scan and get a consultant-quality AI security report covering OWASP Top 10 2025, LLM Top 10 2025, and API Security Top 10 2023 — without leaving your editor.

What it does

CyberMoose orchestrates five industry-standard security tools against your workspace, maps every finding to the correct OWASP category, then uses Claude AI to generate a structured security report.

Scanner	What it covers
Semgrep	Static analysis — injection, secrets, auth flaws, XSS, custom rules
Trivy	Dependency CVEs, IaC misconfigurations, container image vulnerabilities
Checkov	Terraform, CloudFormation, Kubernetes, Dockerfile security checks
Bandit	Python-specific security issues
Nuclei	Live DAST scanning against a target URL (optional)

Features

OWASP Top 10 2025 — full coverage across all 10 categories
OWASP LLM Top 10 2025 — automatically activated when LLM framework code is detected (OpenAI, Anthropic, LangChain, etc.)
OWASP API Security Top 10 2023 — automatically activated when API framework code is detected (Express, FastAPI, NestJS, etc.)
AI-generated report — streamed in real time using Claude claude-opus-4-6, with full remediation guidance and code examples
Report options — filter by severity, choose between full or compact report format
HTML export — one-click export to a shareable HTML report
DAST scanning — optional live scanning against a staging URL using Nuclei

Requirements

You need the following tools installed and available on your PATH:

Tool	Install
Semgrep	`pip install semgrep`
Trivy	`brew install trivy` or installer
Checkov	`pip install checkov`
Bandit	`pip install bandit` (Python projects only)
Nuclei	`brew install nuclei` (DAST only)

You also need an Anthropic API key for report generation. Get one at console.anthropic.com.

Getting started

Install the required tools above
Open the extension settings and add your Anthropic API key, or set the ANTHROPIC_API_KEY environment variable
Click the $(shield) OWASP Scan button in the status bar (bottom left)
Configure report options and optionally enter a DAST target URL
Click Run Scan and watch results stream in

Report options

Before each scan you can configure:

Include severities — choose which severity levels to include (Critical, High, Medium, Low, Info)
Full Report — includes manual review checklists and detailed remediation guidance with code examples. Uncheck for a compact summary report.

DAST scanning

Enter a live target URL (e.g. https://staging.myapp.com) to enable Nuclei DAST scanning alongside the static analysis. Three scan modes are available:

Quick — critical and high severity, auth and exposure templates only
Standard — full OWASP template set, critical/high/medium
Custom — specify your own Nuclei tags and severity levels

Important: Only scan systems you own or have explicit written permission to test.

Extension settings

Setting	Description
`owaspScanner.anthropicApiKey`	Anthropic API key for report generation
`owaspScanner.appName`	Application name shown in the report
`owaspScanner.outputDirectory`	Directory to save exported HTML reports
`owaspScanner.targetUrl`	Default DAST target URL
`owaspScanner.authHeader`	HTTP auth header for authenticated DAST scans

Privacy

All scanning runs locally on your machine. Your source code is never uploaded anywhere. The only external call is to the Anthropic API to generate the report — only the scan findings (not your source code) are sent.

Support

Issues: github.com/Cyb3rMoose/ide-scanner/issues
Website: cybermoose.io
Email: support@cybermoose.io