Anthropic launched a security-guidance plugin for Claude Code that evaluations code adjustments for widespread vulnerabilities and helps Claude determine and repair points throughout the identical growth session.
The corporate says the plugin is designed to catch points equivalent to injection flaws, unsafe deserialization, and insecure DOM APIs earlier than code reaches pull requests, lowering the quantity of handbook safety overview later within the growth course of.
As soon as put in, the plugin runs routinely throughout growth periods, with out requiring builders to launch separate instruments or keep in mind further instructions.
Three safety overview phases
The plugin operates by way of three overview phases built-in into the coding workflow. Every stage targets totally different classes of safety points, from unsafe operate utilization to deeper logic flaws.
The primary layer runs throughout file edits and performs light-weight sample checks with out calling a mannequin. The system seems for dangerous constructs and generally abused libraries, together with features equivalent to eval(), new Perform(), os.system(), and child_process.exec().
The checks additionally goal unsafe deserialization strategies and browser injection patterns tied to dangerouslySetInnerHTML and .innerHTML= utilization.
A second overview stage prompts after every mannequin flip. At this level, Claude analyzes the whole git diff generated through the session to determine vulnerabilities that sample matching could miss.
The documentation says the overview can determine issues involving authorization bypass, insecure direct object references, injection flaws, server-side request forgery, and weak cryptography.
The deepest overview runs when Claude performs commits or pushes by way of its Bash device. Throughout this stage, the system evaluations surrounding recordsdata, sanitizers, and associated code paths to validate findings and scale back false positives.
Builders can lengthen all three overview layers with customized guidelines and repository-specific safety checks.
Anthropic additionally famous that it has been utilizing the plugin internally.
“Throughout our inside rollout and benchmarks, we’ve seen a 30–40% lower in security-related feedback on PRs opened utilizing the plugin. The plugin serves as a light-weight first cross, catching points earlier than a full code overview,” the corporate said.
Availability and necessities
The plugin is free for all customers and out there on all plans. Prompt safety checks run with out mannequin calls and don’t add utilization prices. Deeper evaluations use the identical Claude utilization funds as normal requests.
The plugin requires Claude Code model 2.1.144 or later and Python 3.8 or newer. The deeper overview phases work solely inside git repositories, whereas the light-weight sample checks can run in any listing.