Level 2 patterns - vulns, lic, sbom, doctor (security, compliance, environment health)
/plugin marketplace add bryonjacob/aug/plugin install bryonjacob-aug-just-aug-just@bryonjacob/augThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Add when deploying. Security scanning, license compliance, SBOM generation, environment validation.
Vulnerability scanning. CRITICAL only, quick feedback.
# Check for security vulnerabilities
vulns:
<scan for vulnerabilities, fail on CRITICAL, fixable only>
Using Grype:
vulns:
grype .venv --fail-on critical --only-fixed
Multi-tier scanning:
# Quick scan (CRITICAL only)
vulns:
grype .venv --fail-on critical --only-fixed
# Detailed scan (MEDIUM and above)
vulns-detailed:
grype .venv --fail-on medium --scope all-layers -o table
# CI scan (HIGH+, JSON output)
vulns-ci:
grype .venv --fail-on high --only-fixed -o json --file grype-report.json
License compliance. Production dependencies only, strict checking.
# Analyze licenses (flag GPL, etc.)
lic:
<check production deps only, fail on GPL/LGPL/AGPL>
Python (isolated venv):
lic:
#!/usr/bin/env bash
set -e
[ ! -d .venv-lic ] && uv venv .venv-lic
source .venv-lic/bin/activate
uv pip install -e . --quiet
uv pip install pip-licenses --quiet
pip-licenses --fail-on="GPL;LGPL;AGPL" --partial-match --format=plain
deactivate
JavaScript:
lic:
#!/usr/bin/env bash
OUTPUT=$(pnpm exec licensee --osi 2>&1 || true)
if echo "$OUTPUT" | grep -qiE "GPL|LGPL|AGPL"; then
echo "❌ GPL/LGPL/AGPL found"
exit 1
fi
echo "✅ License check passed"
Dev dependencies allowed:
lic-dev:
uv run pip-licenses --fail-on="GPL;LGPL;AGPL" --partial-match \
--ignore-packages pytest ruff chardet
Software Bill of Materials. CycloneDX format.
# Generate software bill of materials
sbom:
<generate SBOM in CycloneDX format>
Using Syft:
sbom:
syft dir:. -o cyclonedx-json > sbom.json
Polyglot:
sbom:
syft dir:./api -o cyclonedx-json > sbom-api.json
syft dir:./web -o cyclonedx-json > sbom-web.json
Scan SBOM:
security-scan: sbom
grype sbom:./sbom.json --fail-on critical --only-fixed
Environment health check. Required tools, versions, services.
# Check development environment health
doctor:
<validate required tools installed, show versions>
Basic:
doctor:
@echo "Checking environment..."
@which just >/dev/null && echo "✅ just" || echo "❌ just"
@which python3 >/dev/null && echo "✅ python3" || echo "❌ python3"
@which uv >/dev/null && echo "✅ uv" || echo "❌ uv"
With versions:
doctor:
#!/usr/bin/env bash
echo "Required tools:"
which just >/dev/null && echo "✅ just $(just --version)" || echo "❌ just"
which python3 >/dev/null && echo "✅ python3 $(python3 --version)" || echo "❌ python3"
which node >/dev/null && echo "✅ node $(node --version)" || echo "❌ node"
echo ""
echo "Optional tools:"
which grype >/dev/null && echo "✅ grype" || echo "⚠️ grype (security scanning)"
which syft >/dev/null && echo "✅ syft" || echo "⚠️ syft (SBOM generation)"
.grype.yaml:
only-fixed: true
fail-on-severity: critical
ignore:
- vulnerability: CVE-2025-12345
fix-state: wont-fix
reason: "Build tool only, not distributed"
output: table
Add when:
Skip when:
Problem: Dev dependencies can use GPL. Production dependencies cannot.
Solution: Isolated environment for production-only check.
Python:
.venv-lic with production deps only[dev] extrasrm -rf .venv-licJavaScript: Licensee separates dev/prod automatically.
Three scan levels:
Developers get fast feedback. Security team gets comprehensive reports.
Check before first run:
Prevents "command not found" confusion.