startup-security-kit-example

A minimal Go sample project for experiencing the Startup Security Kit AI security review skill.

Run the /ssk-security-review skill against app/handler.go, which contains intentional security vulnerabilities.

日本語版 README

---

Setup

Prerequisites

• Go 1.21+
• Claude Code CLI

1. Clone the repository

git clone https://github.com/st-hisatoshi-2973/startup-security-kit-example.git
cd startup-security-kit-example

2. Prepare Startup Security Kit

Using the submodule (recommended)

git submodule update --init

Local development (before the submodule is added)

If you already have startup-security-kit cloned locally, use a symlink:

# Unix / macOS
ln -s ../startup-security-kit startup-security-kit

# Windows (run in an elevated terminal)
mklink /D startup-security-kit ..\startup-security-kit

3. Start the app

go run app/handler.go

The server starts on http://localhost:8080.

---

Endpoints

Method	Path	Description
POST	/login	Login — returns a dummy JWT
GET	/admin/users	User list — intended for admins only

Example requests

# Login
curl -s -X POST http://localhost:8080/login \
  -H "Content-Type: application/json" \
  -d '{"username":"alice","password":"hunter2"}' | jq

# Admin endpoint (should require admin role — but doesn't)
TOKEN="<token from above>"
curl -s http://localhost:8080/admin/users \
  -H "Authorization: Bearer $TOKEN" | jq

---

Running the security review

Start Claude Code:

claude

Then run the skill:

/ssk-security-review

See docs/expected-review-output.md for the expected findings.

---

Adding the submodule (future reference)

git submodule add https://github.com/st-hisatoshi-2973/startup-security-kit.git startup-security-kit
git commit -m "Add startup-security-kit as submodule"

---

License

MIT