Skip to content

MuhammedZohaib/patchman

BranchesTags

Repository files navigation

patchman

Stars Release License

Defensive security audit skill pack for agentic code review and web application assessment.

Overview

Patchman is a skill and plugin bundle for authorized security reviews. It operates in read-first, review-first mode — inspecting code and architecture against OWASP and common appsec failure patterns, then producing structured findings with actionable remediation guidance.

Supported agents: Claude Code · Codex · Cursor · Windsurf · Copilot · Gemini-style skill installers

Installation

Claude Code (Recommended)

claude plugin marketplace add https://github.com/MuhammedZohaib/patchman.git
claude plugin install patchman@patchman-marketplace

Restart Claude Code. The session hooks activate automatically.

Verify installation

claude plugin list

Uninstall

claude plugin uninstall patchman@patchman-marketplace

Claude Code — Local Install

git clone https://github.com/MuhammedZohaib/patchman.git
claude plugin marketplace add ./patchman
claude plugin install patchman@patchman-marketplace

Codex — Local Install

git clone https://github.com/MuhammedZohaib/patchman.git
mkdir -p ~/.codex/plugins
cp -R patchman/plugins/patchman ~/.codex/plugins/patchman
codex marketplace add ./patchman

Use ~/.codex/plugins/patchman if you want to point Codex directly at the plugin path.

Use codex marketplace add ./patchman if you want Patchman to appear in Codex marketplace or picker discovery.

Review Modes

Mode Command
Full security audit /security-audit focus=full severity>=medium output=report
Auth review /auth-review area=login,session,reset
Business logic review /bizlogic-review feature=billing-upgrade workflow=invite-approval
API review /api-review surface=public-api include=authz,rate-limit,headers
ORM / data-access review /query-review path=app/models include=n-plus-one,tenant-scope
PR diff review /pr-diff-review base=main head=feature/auth-refactor
Quick triage /quick-triage path=admin/ reason=pre-release
Threat modeling /threat-model feature=file-import
Audit report /audit-report format=engineering-summary

What Patchman Detects

  • OWASP Top 10 classes with code-level evidence
  • Broken authentication, authorization, and session management
  • IDOR and tenant isolation failures
  • Business logic gaps and approval bypasses
  • SSRF, XSS, CSRF, injection, and insecure deserialization
  • Secret leakage and sensitive data in logs
  • Unsafe file upload handling
  • Weak headers, insecure defaults, and risky cryptography
  • Missing rate limiting and anti-abuse controls
  • ORM misuse, N+1 query issues, and cross-tenant data access
  • Admin path, webhook, queue, and background job vulnerabilities

Example Prompts

Full audit

Run a full security audit on this repo. Prioritize broken access control, unsafe defaults,
tenant isolation, secret handling, and exploitable auth issues. Use the Patchman findings format.

Targeted review

Review only the password reset flow. Focus on token lifetime, replay attacks, host header
trust, user enumeration, and session invalidation after reset.

PR review

Audit this pull request as a defensive security reviewer. Flag regressions, rank by severity
and confidence, and suggest minimal safe patches.

Findings Format

Every finding includes:

  • Evidence — specific code or configuration reference
  • Severity — based on blast radius and realistic abuse conditions
  • Confidence — drops when context is incomplete
  • Remediation — specific enough to implement directly

Scope and Limitations

Patchman is for authorized defensive auditing only.

In scope: secure code review, architecture review, configuration review, exploitability analysis in plain language, remediation planning

Out of scope: unauthorized intrusion, exploit weaponization, credential harvesting, malware or persistence guidance, destructive payloads, live attack chains

Patchman infers risk from static code and configuration. It does not replace runtime validation and will request missing deployment, proxy, or identity-boundary context when evidence is insufficient.

Repository Structure

patchman/
├── .claude-plugin/
├── .agents/plugins/
├── commands/
├── docs/
├── evals/
├── hooks/
├── plugins/patchman/
├── rules/
├── skills/
└── patchman.skill

Contributing

Contributions welcome. Open a PR with any of the following:

  • New defensive review heuristics
  • Framework-specific false positive reductions
  • Safer remediation examples
  • Eval fixtures with expected findings
  • Packaging improvements for Claude or Codex

See CONTRIBUTING.md to get started.

License

See LICENSE.

About

Defensive AI security audit skill for Claude and Codex. Reviews codebases and web apps for OWASP Top 10, auth and authorization flaws, business logic bugs, tenant isolation gaps, insecure defaults, secret leaks, and ORM or N+1 query issues, then produces clear remediation guidance.

Topics

security security-audit authentication authorization web-security business-logic appsec codex owasp-top-10 api-security secure-code-review agent-skills claude-code claude-code-plugin claude-code-skills claude-code-skill codex-skill

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors 1

Languages