NightVision Skills for Claude Code Are Now Available. Here's What They Do.

Claude Code can reason about code. Now it can run NightVision too.

We wrote two days ago about what Claude Code changes for AppSec and what it doesn't. The short version: Claude is genuinely strong at code reasoning and patch suggestions. What it doesn't have out of the box is the product scope to cover API inventory enforcement, dynamic runtime testing, or CI/CD-integrated security gates. Those are NightVision's domain.

Today, we're closing that gap.

NightVision skills for Claude Code are now available on GitHub. Four skills. One plugin. Install in under a minute.

Two Different Layers of Security

The existing Claude Code experience is strong for developers thinking about security. It helps at the layer of "what did I write, and is it safe?" NightVision operates at a different layer: "what is running, and is it exploitable?"

Those two questions are not the same.

Code analysis catches what's visible at the source. NightVision's dynamic scanner catches what only appears at runtime: misconfigured auth, unexpected API behavior, server-side issues that don't manifest until the application is actually running. NightVision's API Discovery finds and inventories your full API attack surface through static analysis of source code, producing deterministic, traceable output that can be enforced as a security control.

And NightVision's CI/CD integration turns DAST findings into enforceable security gates in your pipeline. Historically, getting all of that into a developer's workflow has required switching tools, switching teams, and switching context.

The skills plugin fixes that. When NightVision's capabilities are accessible from the same interface developers are already using, they get used earlier, more consistently, and with better codebase context than when they require a full context switch.

What the Plugin Does

The plugin gives Claude four skills, each mapped to a distinct phase of the NightVision workflow.

Scan-Configuration handles setup for a NightVision dynamic scan: creating targets, configuring authentication via Playwright scripts, headers, or cookies, defining scope exclusions, and preparing for private network scanning. Now Claude handles it as part of the same session, with direct context about the code it's scanning, so configuration is faster, more accurate, and doesn't break your flow.

API-Discovery brings NightVision's API eNVy capabilities into the Claude Code workflow. NightVision extracts OpenAPI specifications directly from source code through static analysis, builds a complete and traceable API inventory, and uses Code Traceback to map each endpoint back to the exact lines that define it. Claude can then compare specs across versions and troubleshoot extraction gaps. If you're building or maintaining a large API surface, this is how you keep inventory accurate, auditable, and enforceable without making it a manual process.

Scan-Triage is where NightVision's detection and Claude's code reasoning come together most directly. NightVision finds the vulnerabilities through dynamic scanning. Claude then reads the SARIF or CSV findings, locates the vulnerable code, prioritizes by severity, and helps developers understand and act on what NightVision finds. Developers who aren't AppSec specialists no longer have to become experts in reading scanner output to move quickly on the results.

CI-CD-Integration wires NightVision into your pipeline across GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and BitBucket. Claude configures NightVision's SARIF/CSV export, sets up breaking-change detection, and helps define the conditions under which a scan result should fail a build. This is where NightVision shifts from a point-in-time scanner to a repeatable security control that lives inside the deployment process.

Security That's Actually in the Workflow

The argument we made two days ago holds here too: coverage improves when controls are embedded in existing workflows, not bolted on afterward. That's not a product pitch. It's just how security programs work in practice.

Developers using Claude Code to write and review code now have a straight path to NightVision's dynamic validation, API discovery, and pipeline enforcement. Not as a separate step handled by a different team using a different tool, but as part of the same session, in the same terminal, informed by the same codebase context. Claude knows the code. NightVision knows how to attack it. The skills connect them.

Getting Started

The plugin is available now on GitHub at github.com/nvsecurity/skills.

Install from your terminal:‍


claude plugin marketplace add nvsecurity/skills
claude plugin install nightvision@nvsecurity
claude

‍

Or from inside Claude Code, run each command one at a time and wait for it to complete before running the next:

Step 1:

/plugin marketplace add nvsecurity/skills

‍

Step 2:‍

/plugin install nightvision@nvsecurity

‍

You may need to restart Claude Code after installation. If you want to talk through how NightVision fits into your specific pipeline, we're easy to reach.

Have questions about integrating NightVision into your Claude Code workflow? Get in touch.

‍