Claude Code Security vulnerability scanning is one of the fastest ways to catch real-world security issues before they turn into production incidents, especially the messy ones that don’t look like classic “regex-detectable” bugs.
Anthropic announced Claude Code Security as a limited research preview on February 20, 2026, positioning it as “scan to fix” for codebases: find vulnerabilities, validate findings to reduce false positives, and propose patches for human review.
This tutorial shows you how to use it in a clean, repeatable workflow:
- Run local reviews with
/security-review - Confirm and fix issues safely
- Re-run reviews to verify
- Automate PR scanning with GitHub Actions
- Avoid common gotchas (prompt injection, runaway costs, and over-trusting “comments”)
If you want the high-level picture first (what it is, why it matters, and where it’s going), read the pillar guide: Claude Code Security: Features, Fixes & Impact.
What Claude Code Security Is
Claude Code Security is an AI-assisted security scanning capability built into Claude Code. It can review code changes (or a broader codebase context), identify likely vulnerabilities, and propose fixes for human approval.
It is good for
- Finding high-impact issues that depend on understanding flow and intent (authz mistakes, logic flaws, unsafe data handling).
- Reducing noise by validating findings (multi-stage verification is a stated goal).
- Producing actionable remediation guidance you can apply and re-check quickly.
It’s not a replacement for
- Deterministic SAST/linters (Semgrep-style pattern coverage is still valuable).
- Threat modeling, manual code review, pentesting/red teaming, or business logic testing.
- Governance. You still need human review, CI gates, and safe deployment controls.
Prerequisites (do this first)
Before you run your first scan, set up these basics so results are reliable:
1) Work in a clean Git state
- Commit or stash unrelated changes.
- Create a branch for security fixes.
This keeps /security-review output focused and makes your PR easy to review.
2) Decide your scope
Pick one of these scopes per run:
- PR/change-focused: Best for day-to-day DevSecOps. Faster, less noisy.
- Repo baseline scan (wider context): Best when onboarding a legacy repo or doing a quarterly “security hygiene” pass.
3) Make sure you can run tests locally
Claude can suggest a patch, but your test suite is what tells you if the patch is safe.
If you want an honest evaluation before deploying it in your workflow, use the review article as your “buy-in” page for teams: Claude Code Security Review.
Step 1: Install and open Claude Code in your repo
Open a terminal in your project root and start Claude Code (CLI). Claude Code is designed to work inside your repository context and can read/edit files and run commands within that environment.
If your team already uses Claude Code, this step is simply: open the repo and launch Claude Code normally.
Tip: If you’re scanning something risky (unknown code, third-party repo, or a messy monorepo), use a dedicated sandbox/dev container to avoid surprises.
Step 2: Run /security-review locally (the fastest workflow)
Anthropic’s open-source security review setup shows that Claude Code ships a /security-review command that runs security analysis in your Claude Code environment.
Run it
In Claude Code, execute:
/security-review
If your team is deciding between ecosystems (terminal-first vs GitHub-native governance), link to the comparison: Claude Code Security vs GitHub Copilot for Secure Coding.
What happens next (typical behavior)
- Claude reviews pending changes and surrounding context.
- It reports findings with severity/impact and recommended fixes.
- In many setups, it attempts validation steps to reduce false positives.
How to read the output like an AppSec reviewer
For each finding, look for:
- Exploit path (how attacker-controlled input reaches a sink)
- Impact (data exposure, auth bypass, RCE potential)
- Preconditions (roles, endpoints, config assumptions)
- Confidence level (high confidence findings first)
- Fix type (sanitize/escape, enforce authz, parameterize queries, etc.)
If the report is vague, treat it as a lead, not truth. You’ll validate next.
Step 3: Validate findings (don’t skip this)
A major mistake teams make is trusting AI output as if it were a deterministic scanner. LLM-based review can be wrong, inconsistent, or overly trusting of comments/context.
There are also known risks: security-review style workflows can be vulnerable to prompt injection through code comments or malicious PR text, which can manipulate what the model flags or ignores.
Validation checklist (quick and effective)
For each high-severity item:
- Reproduce the data flow
- Trace the input source to the sink manually.
- Confirm the vulnerable condition really exists.
- Add a minimal test
- Unit test for sanitizer behavior.
- Integration test for authz boundaries.
- Regression test for the reported exploit.
- Confirm exploitability
- Ask: can an attacker realistically reach this code path?
- Are there existing guards that actually work?
- Cross-check with one deterministic tool
- Run a linter/SAST rule set (even a small one) for coverage overlap.
- This is especially helpful for “known-bad patterns.”
Quick recap:
You ran /security-review, then treated results as hypotheses, validated them with tracing + tests + at least one deterministic cross-check. That’s how you keep speed and trust.
Step 4: Apply fixes safely (and keep them reviewable)
When you implement fixes, aim for “secure by design,” not patchy bandaids.
Common fix patterns Claude usually proposes (you should enforce)
- Parameterized queries instead of string concatenation
- Output encoding at the correct layer (template/view)
- Input validation + server-side enforcement (not just UI)
- Strict authz checks near the resource boundary (not deep in helper methods)
- Removing secrets from code + rotating keys
Use the “small PR” rule
If /security-review finds 10 issues, don’t fix 10 in one PR unless you must.
Instead:
- Fix critical/high severity first
- Keep each PR reviewable
- Re-run scans after each chunk
Step 5: Re-run /security-review to confirm the patch
After fixes:
/security-review
You want to see:
- The finding is gone
- No new issues were introduced
- Any “fix side effects” are caught early
If the issue still appears, don’t keep prompting endlessly. Go back to:
- The data flow
- The test
- The actual sink behavior
Step 6: Automate PR scanning with GitHub Actions
Claude Code supports GitHub Actions workflows so security reviews can run automatically on pull requests. Claude’s docs include a GitHub Actions setup flow and a guided install approach.
Practical automation approach (recommended)
Use automation to comment findings and block merge only on critical rules, such as:
- Secrets in code
- Obvious auth bypass
- High-confidence injection primitives
This avoids turning your CI into a “false positive machine” that devs learn to ignore.
Avoid the biggest automation trap: cost + spam
If your repo is public or receives lots of external PRs, fully automated LLM scanning can be abused (PR spam → higher bill). This risk has been called out in community discussions around LLM-based security review workflows.
Mitigations:
- Run on trusted contributors only
- Run on label trigger (e.g.,
security-review) - Run only on changed paths (backend/security-sensitive folders)
- Put budget alerts on your LLM usage
Step 7: Hardening your workflow against prompt injection
Prompt injection is not theoretical. Any scanner that “reads” natural language can be influenced by it.
What can go wrong
- A malicious PR adds comments telling the model to ignore issues.
- The model trusts developer comments as “security guarantees.”
- The model under-reports real bugs.
This is why your workflow must include:
- Human review
- Tests
- Deterministic checks
- Sensible CI gating (never auto-approve merges)
Practical defenses
- Treat comments as untrusted input
Make it a team rule: comments can explain intent, but do not “prove” safety. - Require code evidence
If the model claims “not exploitable,” ask: where is the actual guard implemented? - Run multiple passes for critical areas
Non-determinism exists in LLM tools; repeating a scan on critical changes can catch variability. - Pair with at least one deterministic SAST
Use it as a “backstop” for known classes.
Quick recap:
You now have a repeatable loop: local scan → validate → fix → re-scan, plus a safe path to automate PR reviews without turning CI into noise or cost risk.
FAQ
Is Claude Code Security vulnerability scanning enough by itself?
It’s a strong layer, but it shouldn’t be your only layer. Use it to catch logic and flow issues fast, then backstop with tests + a deterministic SAST + human review, especially for auth and data boundaries.
Should I run /security-review on every PR?
For most teams: yes, but scope it. Run on security-sensitive folders or use a label trigger to control cost and noise. GitHub automation is useful, but full automation on every external PR can be abused.
Can /security-review be tricked?
Any LLM-based scanner can be influenced by prompt injection if you trust natural language instructions in comments or PR descriptions. Treat that content as untrusted and validate findings with code evidence and tests.
What’s the best way to reduce false positives?
Run the review on smaller diffs, require tests for high-severity fixes, and cross-check critical findings with at least one deterministic tool. Anthropic explicitly positions multi-stage verification as a way to minimize false positives, but you still need engineering controls.
Disclaimer
This tutorial is for defensive secure development and code review. Always follow your organization’s policies, use human review for critical changes, and avoid treating AI outputs as guaranteed correct.