Security

The security review

Claude Code scans your code for the holes that get apps hacked — then fixes them. Here's how to run it, and how it works.

Start here

The one-word version: type /security-review in Claude Code. It scans the changes on your branch, reports the risks with a severity and a fix for each, and then you tell it to fix them — all in the same chat.

Want a deeper pass, or more control over what it looks at? Paste this instead:

Paste this into Claude Code
Do a security review of the pending changes on this branch. Look for the vulnerabilities that actually get exploited: injection (SQL, command, XSS, path traversal), broken authentication or access control, hardcoded secrets and weak crypto, unsafe code execution or deserialization, and sensitive data exposure in logs or responses. For each issue give me the file and line, the severity, why it's exploitable, and the fix. Only flag things you're genuinely confident are real. When you're done, wait — I'll ask you to fix them.

When it's finished, say now fix the issues you found, and explain each change — and it'll action them for you.

What it looks for

It hunts the high-impact, actually-exploitable stuff — and filters to the findings it's confident about, so the report stays short and real.

InjectionSQL, command, XSS, path traversal, template and NoSQL injection — anywhere untrusted input reaches something dangerous.
Broken auth & access controlAuth bypasses, privilege escalation, insecure object references, weak session or JWT handling.
Secrets & cryptoHardcoded API keys and credentials, weak algorithms, bad key storage, certificate-validation bypass.
Unsafe code executionRemote code execution, unsafe deserialization, eval-style injection.
Data exposureSecrets or personal data leaking into logs, debug output, or API responses.

How it works

1

Run it

Type /security-review in Claude Code. You need a git repo with some pending changes — it reviews the diff on your current branch, not the whole codebase, so it stays fast and focused.

2

Read the report

It hands you a short markdown report in the chat: each issue with a severity, the file and line, why it's actually exploitable, and how to fix it. It filters to high- and medium-confidence findings, so you're not drowning in noise.

3

Get Claude to fix them

Stay in the same chat and say fix the issues you found. It works through them, proposes the changes, and you approve each one — the normal Claude Code flow. No restart, no re-run.

4

Automate it on PRs (optional)

For a repo you care about, the anthropics/claude-code-security-review GitHub Action runs the same review on every pull request and posts findings as inline comments. Honest caveat: it isn't hardened against prompt injection — run it on trusted PRs only.

The honest bit — what it isn't

  • -It's a first-pass, in-development tool — not a replacement for a proper security audit or a pentest. Think of it as the obvious stuff you need covered before you ship, not a clean bill of health.
  • -Static analysis only. It reads your code, so it won't catch runtime issues, business-logic flaws, or misconfigured production infrastructure.
  • -It can miss things, and the odd false positive gets through — it's a model, not a guarantee.
  • -It deliberately ignores some categories (denial-of-service, rate limiting, secrets already committed to disk, client-side-only checks) to keep the signal high.
  • -Needs a paid Claude plan (Pro, Max, Team, or Enterprise).

Other commands worth knowing

/code-reviewBroader correctness review — bugs, edge cases, logic errors. Not security-specific, but a good habit before you merge.
/review <PR>Reviews a GitHub pull request with the same engine, no local checkout needed.
/compliance-auditReads your actual code to check GDPR / EU AI Act exposure — narrower than security, deeper on the legal side.