Get Started

Install

Set Lagune up in any project, new or existing, with a single command via npx, and choose the security specializations that fit it.

Install

Lagune adapts to your environment, whether it is a new project or an existing one.

No keys

No API keys are needed, it runs directly through your own agent (Claude, Codex, and more).

Run Lagune directly with no subcommand for an interactive live view, follow-up, and maintenance. It serves a dashboard and opens it on a random port:

npx -y lagune@latest
  • Live Reload
  • Private and Local
  • Install, Pull, Update, and Manage all Lagune features directly from your browser
  • No node_modules or package.json is needed 📦
tip
  • 🚪 Use --port or -p to specify a custom port.
  • ⏏️ Press Ctrl+C to stop.
Any language

🃏 Lagune runs on Node.js under the hood, you use whatever language you want.

What gets created

Running Lagune in your project creates two things:

  • .lagune/ holds Lagune's state in that project: the charter, the artifact each phase produces, the on-demand skills you installed, and the internal tracking.
  • Agent commands are written into your agent's own location, in its native format, so the /lagune.* commands are ready to run.

Your security work is committed alongside your code, versioned and reviewable like any other part of the project. Lagune's own files are gitignored by default, since pull brings them back from the manifest.

Update

To update Lagune's own files and its commands to their latest versions, run:

npx -y lagune@latest update
tip

Your charter, the artifacts each phase produces, the internal tracking, and any sub-skill you authored with /lagune.specialize stay untouched.

Pull

When you clone or fork a project that already has Lagune, run pull to install its files from the manifest:

npx -y lagune@latest pull
tip

💡 Think of it as the Lagune equivalent of npm i, pip install -r requirements.txt, and the like.

Specializations

Lagune ships focused security sub-skills grouped into categories, from owasp to per-language ones like python, go, and rust. You install them by category with the --skills flag. The flag is the same everywhere, so what you learn for init works for add and remove too.

The agent commands are always set up. Specializations are what you choose on top.

Install at init

--skills with no category opens an interactive picker (space to toggle, enter to confirm, empty to skip):

npx -y lagune@latest init claude --skills

Add and remove anytime

The same --skills flag, without touching the agent.

npx -y lagune@latest add --skills # interactive
npx -y lagune@latest add --skills owasp
npx -y lagune@latest add --skills owasp rust

See what exists

list on its own asks what you want to see, the findings Lagune is tracking or the specialization categories, then prints that. Skip the prompt with a flag: --findings for the tracked findings, --skills for the categories.

npx -y lagune@latest list --skills
# Specializations .lagune/skills/
# • owasp [installed] Harden against the application security risks OWASP tracks
# • javascript [available] JavaScript and its runtimes
# • php [available] PHP and its language-specific risks
# • go [available] Go and its language-specific risks
# ...

Requirements

You will need these tools installed on your system:

Next

Once Lagune is set up, your agent unlocks a set of slash commands. See Commands.

Copyright © 2026-present Weslley Araújo and contributors. SDH: Lagune is under the MIT License. Please check the Security Policy.

All product names, trademarks, and registered trademarks mentioned are the property of their respective owners and are used for identification purposes only.