A Claude Code Workflow for the OWASP Top 10
📰 Medium · Programming
Learn how to implement a Claude Code workflow to detect security vulnerabilities in your codebase, following the OWASP Top 10 guidelines
Action Steps
- Set up a Claude Code workflow using Opus 4.8 and configure it to run against your codebase
- Integrate the workflow with your CI/CD pipeline to automate security checks
- Use the OWASP Top 10 (2025) as a guideline to identify potential security vulnerabilities in your code
- Implement a subagent, such as `security-reviewer`, to scan your code for security issues
- Run the subagent against code diffs to catch potential security vulnerabilities before they reach production
Who Needs to Know This
This workflow is beneficial for development teams, especially those using Firebase and React JS, as it helps catch security vulnerabilities early on, reducing the risk of breaches and data exposure. The team's security engineer or developer can implement and maintain this workflow.
Key Insight
💡 A Claude Code workflow can help detect security vulnerabilities early on, reducing the risk of breaches and data exposure, by automating security checks and scanning code diffs
Share This
🚨 Implement a Claude Code workflow to catch security vulnerabilities in your codebase! 🚨
Key Takeaways
Learn how to implement a Claude Code workflow to detect security vulnerabilities in your codebase, following the OWASP Top 10 guidelines
Full Article
Title: A Claude Code Workflow for the OWASP Top 10
URL Source: https://mrzacsmith.medium.com/a-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca?source=rss------programming-5
Published Time: 2026-06-24T23:52:30Z
Markdown Content:
[Sitemap](https://mrzacsmith.medium.com/sitemap/sitemap.xml)
[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)
[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)
Get app
[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)
[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

Member-only story
# A Claude Code Workflow for the OWASP Top 10
[](https://mrzacsmith.medium.com/?source=post_page---byline--af6f24dda7ca---------------------------------------)
[Zac Smith](https://mrzacsmith.medium.com/?source=post_page---byline--af6f24dda7ca---------------------------------------)
Follow
8 min read
·
1 hour ago
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2Faf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&user=Zac+Smith&userId=7ffd24945d88&source=---header_actions--af6f24dda7ca---------------------clap_footer------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Frepost%2Fp%2Faf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&user=Zac+Smith&userId=7ffd24945d88&source=---header_actions--af6f24dda7ca---------------------repost_header------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2Faf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=---header_actions--af6f24dda7ca---------------------bookmark_footer------------------)
[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3Daf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=---header_actions--af6f24dda7ca---------------------post_audio_button------------------)
Share
Press enter or click to view image in full size

I shipped a Firestore rules change at 11 PM, ran my `security-reviewer` subagent against the diff, and it caught a `request.auth.uid` comparison that would have let any signed-in user read any other user's document. The fix was three lines. The detection was free, in the sense that the workflow was already in place from a previous sprint.
This is the workflow. It is opinionated, scoped to my stack (Vite + React JS, Firebase, Playwright, Vitest, Claude Code on Opus 4.8), and built around the OWASP Top 10 (2025) as the structuri
URL Source: https://mrzacsmith.medium.com/a-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca?source=rss------programming-5
Published Time: 2026-06-24T23:52:30Z
Markdown Content:
[Sitemap](https://mrzacsmith.medium.com/sitemap/sitemap.xml)
[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)
[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)
Get app
[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)
[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

Member-only story
# A Claude Code Workflow for the OWASP Top 10
[](https://mrzacsmith.medium.com/?source=post_page---byline--af6f24dda7ca---------------------------------------)
[Zac Smith](https://mrzacsmith.medium.com/?source=post_page---byline--af6f24dda7ca---------------------------------------)
Follow
8 min read
·
1 hour ago
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2Faf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&user=Zac+Smith&userId=7ffd24945d88&source=---header_actions--af6f24dda7ca---------------------clap_footer------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Frepost%2Fp%2Faf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&user=Zac+Smith&userId=7ffd24945d88&source=---header_actions--af6f24dda7ca---------------------repost_header------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2Faf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=---header_actions--af6f24dda7ca---------------------bookmark_footer------------------)
[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3Daf6f24dda7ca&operation=register&redirect=https%3A%2F%2Fmrzacsmith.medium.com%2Fa-claude-code-workflow-for-the-owasp-top-10-af6f24dda7ca&source=---header_actions--af6f24dda7ca---------------------post_audio_button------------------)
Share
Press enter or click to view image in full size

I shipped a Firestore rules change at 11 PM, ran my `security-reviewer` subagent against the diff, and it caught a `request.auth.uid` comparison that would have let any signed-in user read any other user's document. The fix was three lines. The detection was free, in the sense that the workflow was already in place from a previous sprint.
This is the workflow. It is opinionated, scoped to my stack (Vite + React JS, Firebase, Playwright, Vitest, Claude Code on Opus 4.8), and built around the OWASP Top 10 (2025) as the structuri
DeepCamp AI