qa-role-security

Application-security & compliance QA role bundle: one-command install of SAST, DAST, SCA, secrets scanning, SBOM, fuzzing, compliance, multi-tenancy isolation, test-data privacy, and IaC policy testing.

Install this role bundle

/plugin install qa-role-security@testland-qa

One command installs all 10 member plugins. Requires Claude Code v2.1.110+ (v2.1.143+ to enable the whole set together).

Application security & compliance QA

Installing this one plugin installs all 10 member plugins below in a single command.

Install

/plugin marketplace add testland/qa
/plugin install qa-role-security@testland-qa

Claude Code resolves and installs the member plugins automatically and lists what it added. Requires Claude Code v2.1.110+ (v2.1.143+ to enable the whole set together).

What this installs

qa-sast - SAST (static application security testing)
qa-dast - DAST (dynamic application security testing)
qa-sca - SCA (software composition analysis) / dependency scanning
qa-secrets - Secrets scanning + rotation
qa-sbom - SBOM generation + container image scanning + vuln prioritization
qa-fuzz-testing - Structure-aware coverage-guided fuzzing
qa-compliance - Compliance test patterns + readiness review
qa-multi-tenancy - Tenant-isolation testing for B2B SaaS
qa-test-data-privacy - PII detection, masking, and synthetic data generation for test environments
qa-iac - Infrastructure-as-code testing + security policy

About role bundles

This is a role bundle - a plugin that ships no skills or agents of its own. It exists only to install a curated set of testing plugins together so you adopt a whole role in one command instead of installing each plugin by hand. Prefer a narrower set? Install just the member plugins you need individually.

Installs these 10 plugins

qa-sast

SAST (static application security testing): 7 skills (bandit-python, codeql-queries, eslint-security-rules, gosec-go, pmd-apex-rules, semgrep-rules, sonarqube-rules) and 1 agent (sast-finding-triager). Every scanner skill includes a mandatory False-positive triage section.

qa-dast

DAST (dynamic application security testing): 6 skills (burp-headless, dast-baseline-runner, nightvision-dast, nuclei-dast, zap-authenticated-scans, zap-baseline) and 1 agent (dast-finding-triager). Sister to qa-sast for runtime vulnerabilities. Every scanner skill includes a mandatory False-positive triage section.

qa-sca

SCA (software composition analysis): 8 skills (bundle-audit-ruby, cargo-audit-rust, dependabot-config, npm-pip-maven-audit, osv-scanner, reachability-analyzer, renovate-config, snyk-test) and 1 agent (sca-prioritizer).

qa-secrets

Secrets scanning + rotation: 5 skills (gitleaks-scanning, kingfisher-scanning, secrets-baseline-manager, secrets-rotation-runner, trufflehog-scanning) and 1 agent (secrets-finding-triager). Covers detection AND rotation workflow (git-history scrub doesn't fix the leak).

qa-sbom

SBOM generation + container image scanning + vuln prioritization: 7 skills (cyclonedx-format, grype-scanning, sbom-diff, spdx-format, syft-generation, trivy-image, vex-author) and 1 agent (vuln-prioritizer). Required for US EO 14028 + EU CRA + FDA medical-device guidance.

qa-fuzz-testing

Structure-aware coverage-guided fuzzing: 3 reference skills (corpus-management-reference, sanitiser-integration-reference, crash-triage-reference) + 7 per-language fuzzer skills (libfuzzer-cpp, afl-plus-plus, go-native-fuzzing, cargo-fuzz-rust, atheris-python-fuzzing, jazzer-jvm-fuzzing, ossfuzz-integration) + 1 dispatcher skill (fuzz-toolkit-dispatcher) + 2 agents (fuzz-target-author, fuzz-findings-critic). Distinct from qa-property-based (hypothesis-driven + shrinking) and qa-api-testing/schemathesis-fuzzing (API-layer); this is binary/system-level coverage-guided fuzzing.

qa-compliance

Compliance test patterns + readiness review: 8 skills (audit-trail-test-author, ccpa-test-patterns, compliance-evidence-generator, gdpr-test-patterns, hipaa-test-patterns, iso27001-test-patterns, pci-dss-scope-checker, soc2-evidence-collector) and 1 agent (compliance-readiness-reviewer). Covers regulated-industry test pattern catalogs.

qa-multi-tenancy

Tenant-isolation testing for B2B SaaS: row-level security, cross-tenant leak detection, tenant-id propagation tracing, isolation-model references (silo / pool / bridge), and adversarial review of tenant-leak risk.

qa-test-data-privacy

PII detection, masking, and synthetic data generation for test environments: 8 skills (data-masking-techniques-reference, faker-synthetic-data, k-anonymity-verifier, pii-categories-reference, pii-masking-pipeline-builder, presidio-pii-detection, synthea-healthcare-data, test-data-governance-reference) and 1 agent (pii-leak-critic).

qa-iac

Infrastructure-as-code testing + security policy: 6 skills (checkov-policy, helm-chart-tester, kics-policy, policy-as-code-runner, tfsec-policy, trivy-config) and 2 agents (iac-policy-checker, terraform-plan-reviewer).