Anthropic has published Defending Code Reference Harness, an open-source reference implementation for autonomous vulnerability discovery and remediation with Claude that appears to be based on the company’s work with security teams at several organizations. The repository also notes that it is “not maintained” and “not accepting contributions,” which makes it closer to a reference artifact than an actively evolving project.
The repo centers on a set of Claude Code skills — /quickstart, /threat-model, /vuln-scan, /triage, /patch, and /customize — meant to walk through threat modeling, static scanning, triage, and patch generation. Anthropic describes those skills as read-and-write only, with /customize additionally modifying the harness code and running validation commands.
Alongside the interactive workflow, the repository includes a harness/ pipeline built around recon, find, verify, report, and patch stages. The harness is configured for C and C++ memory vulnerabilities, using Docker and ASAN, and the company cautions that the setup is a “reference, not a product.” Anthropic also states that the autonomous pipeline executes target code and therefore refuses to run outside a gVisor sandbox unless explicitly overridden.
The README lays out a four-step ramp-up plan. Day 1 starts with a threat model and a static scan plus triage. Day 2 moves into an autonomous run on a C/C++ library. Days 3 through 5 focus on adapting the pipeline to another target stack. Week 2 adds repeated scans, cross-run triage, and patching.
For teams that do not want to assemble their own pipeline, the repository points to Claude Security, which Anthropic describes as a hosted product for finding and fixing vulnerabilities across multiple projects. The README also links to supporting material on the blog post, pipeline, security, agent sandbox, customizing, patching, and troubleshooting documentation.
Source: GitHub
