AppSec Fix Verification FAQs

Name: AppSec Fix Verification
Author: florianbuetow

Question 1

What happens if a security fix is only partial?

Accepted Answer

When using the '--depth deep' or 'expert' flags, the skill analyzes alternate code paths and potential bypasses like encoding tricks. If the vulnerability still exists in any form, it returns a 'STILL VULNERABLE' verdict with an explanation.

Question 2

Can I verify multiple fixes at once?

Accepted Answer

By default, the skill identifies and verifies all findings marked with a 'fix-applied' status, though you can use the --scope flag to target specific files or IDs.

Question 3

Does it support external security scanners?

Accepted Answer

Yes, if a finding was originally detected by a scanner, the skill will attempt to re-run that specific scanner rule against the updated file to provide a high-confidence verification.

Question 4

How does the skill know if a vulnerability is fixed?

Accepted Answer

The skill re-runs the original detection method—either a specific third-party scanner rule or Claude's own AI-driven logic analysis—to ensure the vulnerable pattern no longer exists in the current codebase.

Question 5

Where are the verification results stored?

Accepted Answer

Results are updated directly in the .appsec/findings.json file. Findings marked as 'verified-fixed' are also moved to a history file for regression tracking.

AppSec Fix Verification

Key Features

Use Cases

AppSec Fix Verification

Key Features

Use Cases