feat(ai-workflow): Add security scanning to preflight checks

Add comprehensive security scanning detection to /workflow-preflight:
- Dependency audits: pnpm/npm/yarn audit, pip-audit, cargo audit
- Semgrep SAST detection via config files, CI workflows, README docs
- Docker fallback with Windows MSYS path conversion fix
- ESLint security plugin detection
- Updated skill documentation with security scanning quick reference

Author: charlesjones-dev

.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "A curated list of custom Claude Code plugins, agents, and skills for developers.",
-    "version": "1.9.0",
+    "version": "1.9.1",
     "pluginRoot": "./plugins"
   },
   "plugins": [
@@ -141,8 +141,8 @@
     {
       "name": "ai-workflow",
       "source": "./plugins/ai-workflow",
-      "description": "AI-powered development workflow automation - Phase-based planning, implementation orchestration, and preflight code quality checks for efficient sub-agent execution",
-      "version": "1.0.3",
+      "description": "AI-powered development workflow automation - Phase-based planning, implementation orchestration, and preflight code quality checks with security scanning for efficient sub-agent execution",
+      "version": "1.1.0",
       "keywords": [
         "ai",
         "workflow",
@@ -155,6 +155,9 @@
         "typecheck",
         "lint",
         "testing",
+        "security",
+        "audit",
+        "semgrep",
         "automation",
         "productivity"
       ],

CHANGELOG.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.9.1] - 2026-01-18
+
+### Added
+
+#### AI-Workflow Plugin (v1.1.0)
+
+- **Added security scanning detection to `/workflow-preflight` command**
+  - Detects and runs `pnpm audit`, `npm audit`, `yarn audit` for dependency vulnerability scanning
+  - Detects `eslint-plugin-security` in devDependencies and notes when security linting is active
+  - Universal Semgrep detection via multiple sources:
+    - Package.json scripts (e.g., `pnpm run semgrep`)
+    - Config files: `.semgreprc.yml`, `.semgrep.yml`, `semgrep.yml`, `.semgrep/`
+    - CI workflows: `.github/workflows/*.yml` (extracts `--config` flags)
+    - README.md documentation (Security sections)
+    - Local CLI availability
+    - Docker fallback when semgrep CLI not installed
+  - Added Python (`pip-audit`, `safety`) and Rust (`cargo audit`) dependency scanning
+  - Updated preflight skill with security scanning quick reference table
+
 ## [1.9.0] - 2026-01-14
 
 ### Added
@@ -504,7 +523,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - README.md, CLAUDE.md, individual plugin READMEs, and MIT license
 
-[Unreleased]: https://github.com/charlesjones-dev/claude-code-plugins-dev/compare/v1.9.0...HEAD
+[Unreleased]: https://github.com/charlesjones-dev/claude-code-plugins-dev/compare/v1.9.1...HEAD
+[1.9.1]: https://github.com/charlesjones-dev/claude-code-plugins-dev/compare/v1.9.0...v1.9.1
 [1.9.0]: https://github.com/charlesjones-dev/claude-code-plugins-dev/compare/v1.8.0...v1.9.0
 [1.8.0]: https://github.com/charlesjones-dev/claude-code-plugins-dev/compare/v1.7.1...v1.8.0
 [1.7.1]: https://github.com/charlesjones-dev/claude-code-plugins-dev/compare/v1.7.0...v1.7.1

README.md

@@ -1,6 +1,6 @@
 # Claude Code Plugins for Developers
 
-[![Version](https://img.shields.io/badge/version-1.9.0-blue.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/releases)
+[![Version](https://img.shields.io/badge/version-1.9.1-blue.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/releases)
 [![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 [![GitHub Issues](https://img.shields.io/github/issues/charlesjones-dev/claude-code-plugins-dev.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/issues)
 [![GitHub Stars](https://img.shields.io/github/stars/charlesjones-dev/claude-code-plugins-dev.svg)](https://github.com/charlesjones-dev/claude-code-plugins-dev/stargazers)

plugins/ai-workflow/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ai-workflow",
-  "version": "1.0.3",
-  "description": "AI-powered development workflow automation - Phase-based planning, implementation orchestration, and preflight code quality checks for efficient sub-agent execution",
+  "version": "1.1.0",
+  "description": "AI-powered development workflow automation - Phase-based planning, implementation orchestration, and preflight code quality checks with security scanning for efficient sub-agent execution",
   "author": {
     "name": "Charles Jones",
     "url": "https://charlesjones.dev"
@@ -19,6 +19,9 @@
     "typecheck",
     "lint",
     "testing",
+    "security",
+    "audit",
+    "semgrep",
     "automation",
     "productivity"
   ]

plugins/ai-workflow/README.md

@@ -12,7 +12,7 @@ Provides tools for managing complex development workflows including breaking fea
 
 - **Phase Planning**: Break large features into properly-sized phases (30-50k tokens each) optimized for sub-agent execution
 - **Implementation Orchestration**: Analyze dependencies and execute phases with optimal parallel/sequential strategies
-- **Preflight Checks**: Auto-detect and run type checking, linting, formatting, and tests across multiple ecosystems
+- **Preflight Checks**: Auto-detect and run type checking, linting, formatting, security scanning, and tests across multiple ecosystems
 
 ---
 
@@ -96,7 +96,9 @@ Run comprehensive code quality checks before commits, PRs, or deployments.
 **What it does:**
 
 - Auto-detects configured quality tools across ecosystems
-- Runs checks in optimal order: format -> typecheck -> lint -> tests
+- Runs checks in optimal order: format -> typecheck -> lint -> security -> tests
+- Detects security tools: pnpm/npm/yarn audit, eslint-plugin-security, Semgrep
+- Universal Semgrep detection via config files, CI workflows, README docs, or Docker fallback
 - Reports results with clear pass/fail/warning indicators
 - Offers interactive fix mode (or use `--fix` for automatic)
 - Respects existing project scripts (uses `npm run lint` over raw `eslint`)
@@ -112,13 +114,13 @@ Run comprehensive code quality checks before commits, PRs, or deployments.
 
 **Supported Ecosystems:**
 
-| Ecosystem | Type Check | Lint | Format | Test |
-|-----------|------------|------|--------|------|
-| **Node.js/TypeScript** | tsc | ESLint, Biome | Prettier | Jest, Vitest |
-| **Python** | MyPy | Ruff | Black, Ruff | Pytest |
-| **.NET** | dotnet build | Analyzers | dotnet format | dotnet test |
-| **Go** | go build | golangci-lint | gofmt | go test |
-| **Rust** | cargo check | Clippy | cargo fmt | cargo test |
+| Ecosystem | Type Check | Lint | Format | Security | Test |
+|-----------|------------|------|--------|----------|------|
+| **Node.js/TypeScript** | tsc | ESLint, Biome | Prettier | pnpm/npm/yarn audit, eslint-plugin-security, Semgrep | Jest, Vitest |
+| **Python** | MyPy | Ruff | Black, Ruff | pip-audit, safety, Semgrep | Pytest |
+| **.NET** | dotnet build | Analyzers | dotnet format | Semgrep | dotnet test |
+| **Go** | go build | golangci-lint | gofmt | Semgrep | go test |
+| **Rust** | cargo check | Clippy | cargo fmt | cargo audit, Semgrep | cargo test |
 
 **Before (manual checks):**
 
@@ -273,10 +275,10 @@ Discovery Phase
 Detect Project Type(s)
       |
       v
-Find Configured Tools
+Find Configured Tools (including security scanners)
       |
       v
-Run Checks (format -> type -> lint -> test)
+Run Checks (format -> type -> lint -> security -> test)
       |
       v
 Present Results
@@ -341,11 +343,12 @@ Plus improved code quality, fewer context overflows, and more efficient sub-agen
 ## Plugin Details
 
 - **Name:** AI-Workflow
-- **Version:** 1.0.0
+- **Version:** 1.1.0
 - **Type:** Development Workflow Automation
 - **Features:**
   - Commands: `/workflow-plan-phases`, `/workflow-implement-phases`, `/workflow-preflight`
   - Skills: `plan-phases`, `implement-phases`, `preflight-checks`
+  - Security scanning: pnpm/npm/yarn audit, eslint-plugin-security, Semgrep (CLI or Docker)
 - **License:** MIT
 - **Author:** Charles Jones
 

plugins/ai-workflow/commands/workflow-preflight.md

@@ -55,6 +55,14 @@ First, analyze the project to discover configured quality tools. Check for:
 - `rustfmt.toml` / `.rustfmt.toml` - Rustfmt configuration
 - `clippy.toml` / `.clippy.toml` - Clippy configuration
 
+### Security Scanning
+- `pnpm-lock.yaml` / `package-lock.json` / `yarn.lock` - Dependency audit support
+- `.semgreprc.yml` / `.semgrep.yml` / `semgrep.yml` / `.semgrep/` - Semgrep configuration
+- `.github/workflows/*.yml` - Check for semgrep CI jobs (extract config flags)
+- `eslint-plugin-security` in devDependencies - ESLint security rules
+- `package.json` scripts containing `audit` or `semgrep` - Custom security scripts
+- `README.md` / `CONTRIBUTING.md` - Check for documented security scanning commands
+
 ### Other
 - `Makefile` / `makefile` - Check for lint/test/check targets
 - `.pre-commit-config.yaml` - Pre-commit hooks
@@ -73,6 +81,7 @@ Type Checking: [tool name] via [config file]
 Linting: [tool name] via [config file]
 Testing: [tool name] via [config file]
 Formatting: [tool name] via [config file]
+Security Scanning: [tool name(s)] via [config file/method]
 Not configured: [any missing categories]
 
 Ready to run checks?
@@ -84,7 +93,12 @@ Run the discovered checks in this order:
 1. **Type checking** (fastest feedback on type errors)
 2. **Linting** (code quality issues)
 3. **Formatting check** (style consistency - check only, don't auto-fix yet)
-4. **Tests** (run last as they take longest)
+4. **Security scanning** - MANDATORY if any security tools detected:
+   - Dependency audit (npm audit, pnpm audit, etc.)
+   - **Semgrep SAST** - MUST run if detected in CI workflows or config files
+5. **Tests** (run last as they take longest)
+
+**CRITICAL: If Semgrep was detected in discovery (CI workflows, config files, or README), you MUST run it. Do NOT skip Semgrep and report "All checks passed" without running it.**
 
 For each check, report:
 - Pass - no issues found
@@ -121,17 +135,68 @@ For each check, report:
 - Tests: `cargo test`
 - Format check: `cargo fmt --check`
 
+### Security Scanning Commands
+
+**Dependency Audits (run based on detected package manager):**
+- pnpm: `pnpm audit` or `pnpm audit:check` (if script exists in package.json)
+- npm: `npm audit`
+- yarn: `yarn audit`
+- pip: `pip-audit` (if installed) or `safety check` (if installed)
+- cargo: `cargo audit` (if installed)
+
+**Semgrep (static analysis - MUST run if detected in CI or config):**
+
+IMPORTANT: If Semgrep is detected in CI workflows or config files, you MUST run it as part of preflight checks. Do not skip it.
+
+Detection order:
+1. Check for custom script in package.json (e.g., `pnpm run semgrep` or `npm run semgrep`)
+2. Check for semgrep config files: `.semgreprc.yml`, `.semgrep.yml`, `semgrep.yml`, or `.semgrep/` directory
+3. Check `.github/workflows/*.yml` for semgrep jobs - extract `--config` flags used in CI
+4. **Check `README.md` for documented semgrep commands** - ALWAYS check this before trying generic Docker commands, as projects often document the exact command needed for their setup
+5. Check if `semgrep` CLI is available locally: `semgrep --version`
+6. Check if Docker is available: `docker --version`
+7. If Docker available but no semgrep CLI, use Docker (see platform-specific commands below)
+
+**Semgrep execution:**
+- With config file: `semgrep scan --config .semgreprc.yml` (or detected config)
+- Without config (auto rules): `semgrep scan --config auto`
+- With language-specific rules: `semgrep scan --config auto --config p/javascript --config p/typescript`
+
+**Docker execution (AUTOMATIC PLATFORM DETECTION):**
+
+CRITICAL: You MUST detect the platform and use the correct command automatically. Check the platform from the environment context.
+
+- **If platform is `win32` (Windows):** ALWAYS use `MSYS_NO_PATHCONV=1` prefix for Docker commands:
+  ```bash
+  MSYS_NO_PATHCONV=1 docker run --rm -v "$(pwd):/src" semgrep/semgrep semgrep scan --config auto /src
+  ```
+
+- **If platform is `darwin` (macOS) or `linux`:** Use standard Docker command:
+  ```bash
+  docker run --rm -v "$(pwd):/src" semgrep/semgrep semgrep scan --config auto /src
+  ```
+
+**Why this matters on Windows:** Git Bash/MSYS2 performs automatic POSIX-to-Windows path conversion. Without `MSYS_NO_PATHCONV=1`, the Docker volume mount `/src` gets incorrectly converted to `C:/Program Files/Git/src`, causing Semgrep to fail with "Invalid scanning root" error.
+
+DO NOT try the command without the prefix first on Windows - use the correct platform-specific command immediately.
+
+**ESLint Security Plugin:**
+- If `eslint-plugin-security` is detected in devDependencies, security rules are already included in the linting step
+- No separate command needed, but note in discovery output that security linting is active
+
 ## Step 4: Results Summary
 
 Present results in a clear summary:
 
 ```
 Preflight Results
 
-Type Checking  Passed
-Linting        3 errors, 2 warnings
-Formatting     5 files need formatting
-Tests          42 passed, 0 failed
+Type Checking     Passed
+Linting           3 errors, 2 warnings
+Formatting        5 files need formatting
+Security Audit    2 vulnerabilities found
+Security SAST     Passed (semgrep)
+Tests             42 passed, 0 failed
 
 Overall: Issues found
 ```

plugins/ai-workflow/skills/preflight-checks/SKILL.md

@@ -14,7 +14,8 @@ Preflight checks are the quality gates that verify code before commits, PRs, or
 1. **Type Checking** - Static type verification (TypeScript, MyPy, etc.)
 2. **Linting** - Code quality and style enforcement
 3. **Formatting** - Consistent code style
-4. **Testing** - Unit, integration, and e2e tests
+4. **Security Scanning** - Dependency audits and static analysis (SAST)
+5. **Testing** - Unit, integration, and e2e tests
 
 ## Quick Reference
 
@@ -91,6 +92,44 @@ pytest                                  # Tests
 | Format | `cargo fmt --check` | `cargo fmt` |
 | Tests | `cargo test` | N/A |
 
+### Security Scanning (Cross-Platform)
+
+| Tool | Purpose | Command |
+|------|---------|---------|
+| pnpm audit | Dependency CVE scan | `pnpm audit` or `pnpm audit:check` |
+| npm audit | Dependency CVE scan | `npm audit` |
+| yarn audit | Dependency CVE scan | `yarn audit` |
+| eslint-plugin-security | JS/TS security patterns | Runs with ESLint |
+| Semgrep | SAST scanning | `semgrep scan --config auto` |
+| Semgrep (Docker) | SAST scanning | See platform-specific commands below |
+| pip-audit | Python dependency scan | `pip-audit` |
+| cargo-audit | Rust dependency scan | `cargo audit` |
+
+**IMPORTANT: If Semgrep is detected in CI workflows or config files, you MUST run it as part of preflight checks. Do not skip it.**
+
+**Semgrep Detection Priority:**
+1. Package.json scripts (e.g., `pnpm run semgrep`)
+2. Config files: `.semgreprc.yml`, `.semgrep.yml`, `semgrep.yml`, `.semgrep/`
+3. CI workflows: `.github/workflows/*.yml` (extract `--config` flags)
+4. **README.md documentation** - ALWAYS check this before trying generic Docker commands
+5. Local CLI: `semgrep --version`
+6. Docker fallback (see platform-specific commands below)
+
+**Semgrep Docker Commands (AUTOMATIC PLATFORM DETECTION):**
+
+CRITICAL: Detect the platform from environment context and use the correct command automatically.
+
+- **Windows (`win32`):** ALWAYS use `MSYS_NO_PATHCONV=1` prefix:
+  ```bash
+  MSYS_NO_PATHCONV=1 docker run --rm -v "$(pwd):/src" semgrep/semgrep semgrep scan --config auto /src
+  ```
+- **macOS (`darwin`) / Linux:** Standard command:
+  ```bash
+  docker run --rm -v "$(pwd):/src" semgrep/semgrep semgrep scan --config auto /src
+  ```
+
+**Why `MSYS_NO_PATHCONV=1` is required on Windows:** Git Bash/MSYS2 auto-converts POSIX paths to Windows paths. Without this prefix, `/src` becomes `C:/Program Files/Git/src`, causing "Invalid scanning root" error. DO NOT try without the prefix first on Windows.
+
 ## Discovery Strategy
 
 ### Step 1: Identify Project Type(s)
@@ -154,12 +193,22 @@ check: lint test
 ### Step 3: Detect CI Configuration
 
 Check for CI files to align local checks with CI:
-- `.github/workflows/*.yml` - GitHub Actions
+- `.github/workflows/*.yml` - GitHub Actions (also check for semgrep jobs)
 - `.gitlab-ci.yml` - GitLab CI
 - `azure-pipelines.yml` - Azure DevOps
 - `Jenkinsfile` - Jenkins
 - `.circleci/config.yml` - CircleCI
 
+### Step 4: Detect Security Tools
+
+Check for security scanning configuration:
+- `package.json` devDependencies for `eslint-plugin-security`
+- `package.json` scripts containing `audit` or `semgrep`
+- Semgrep config files: `.semgreprc.yml`, `.semgrep.yml`, `semgrep.yml`
+- CI workflows for semgrep jobs (extract `--config` flags for local replication)
+- `README.md` for documented security commands (often in Security sections)
+- Lock files (`pnpm-lock.yaml`, `package-lock.json`, `yarn.lock`) for audit support
+
 ## Best Practices
 
 ### Execution Order
@@ -168,7 +217,8 @@ Run checks in order of speed and feedback value:
 1. **Format check** (fastest, catches style issues)
 2. **Type checking** (fast, catches type errors)
 3. **Linting** (medium, catches quality issues)
-4. **Tests** (slowest, catches logic errors)
+4. **Security scanning** (medium, catches vulnerabilities)
+5. **Tests** (slowest, catches logic errors)
 
 This order provides fastest feedback on failures.