Anthropic ships Claude Code security plugin to catch bugs sooner

Anthropic has rolled out a new security-guidance plugin for Claude Code, designed to flag risky patterns during edits, model turns, and commits. The company says internal testing cut security-related PR comments by 30–40%, while users debate accuracy and false positives.

SecurityClaude
Anthropic ships Claude Code security plugin to catch bugs sooner

TL;DR

  • Claude Code security-guidance plugin: Identifies and fixes vulnerabilities during coding; available via plugin marketplace
  • Three-stage checks: Runs on file edits, after model turns, and on commits via hooks
  • Detection approach: Early scan flags risky patterns; later scans review full diff and surrounding code
  • Org policy support: Rules stored in claude-security-guidance.md, repo-based or distributed via MDM
  • Reported internal impact: 30–40% decrease in security-related PR comments during rollout and benchmarks
  • Feedback themes: earlier detection and policy codification; concerns about false positives and “no issue found” output

Anthropic’s Claude Code team posted on X that it has shipped a “security-guidance plugin” for Claude Code, a tool the company describes as helping identify and fix vulnerabilities while code is being written. The plugin is available to all Claude Code users through the plugin marketplace, according to the post.

In the company’s description, the plugin runs through hooks and checks code at three stages: on file edits, after model turns, and on commits. Anthropic states that the first pass looks for “risky patterns” such as commonly misused dangerous libraries, while later checks review the full diff and surrounding code for harder-to-spot issues.

The company also claims it has used the plugin internally and that, across its rollout and benchmarks, it saw a “30-40% decrease in security-related comments on PRs” when the plugin was involved. That figure should be treated cautiously, but it suggests the tool is being positioned as an early filter before a fuller code review.

Anthropic added that org-specific policy can be stored in a claude-security-guidance.md file, either in a repository or distributed via MDM. The plugin then enforces those rules alongside built-in checks.

Source: ClaudeDevs on X

Continue the conversation on Slack

Did this article spark your interest? Join our community of experts and enthusiasts to dive deeper, ask questions, and share your ideas.

Join our community

Related Articles

claude cover

Claude Security enters public beta for Enterprise code scanning

Claude has just rolled out Claude Security in public beta for Enterprise customers, promising vulnerability scans with validated findings and patch suggestions—no API integration required. New additions include scheduled scans, exports, webhooks, and scan-to-scan dismissals.

2 shared tags
claude cover

Anthropic lays out best practices for Claude Code at scale

Anthropic has published a new guide detailing how Claude Code performs in huge monorepos and legacy systems—and why results hinge as much on setup as on the model. It breaks down the “harness” teams use to keep navigation, context, and governance on track.

1 shared tag
Claude Console adds prompt cache diagnostics to explain misses

Claude Console adds prompt cache diagnostics to explain misses

Anthropic has added prompt cache diagnostics to Claude Console, showing exactly what changed when a request misses the cache. The view also breaks down the token cost of the miss, helping developers debug prompts and track spend.

1 shared tag