explaingit

anthropics/claude-code-security-review

Analysis updated 2026-06-26

4,588PythonAudience · developerComplexity · 2/5Setup · easy

TLDR

A GitHub Action by Anthropic that uses Claude AI to automatically review pull requests for security vulnerabilities and post inline comments on risky code.

Mindmap

mindmap
  root((claude-code-security-review))
    What it does
      AI security review on PRs
      Inline vulnerability comments
      Context-aware analysis
    Issues detected
      SQL injection
      Hardcoded secrets
      XSS and auth flaws
      Weak encryption
    Setup
      GitHub Actions workflow
      Anthropic API key secret
      YAML config snippet
    Features
      Model selection
      Directory exclusions
      Custom instructions
      Local slash command
    Caveats
      Prompt injection risk
      Require maintainer approval
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Add automated AI security review to any GitHub repo so every pull request gets checked for SQL injection, XSS, hardcoded secrets, and other vulnerabilities.

USE CASE 2

Replace or supplement pattern-based static analysis with AI-powered code review that understands what the code actually does in context.

USE CASE 3

Run the security scan locally as a Claude Code slash command to catch issues before even creating a pull request.

USE CASE 4

Tune the scanner with custom instructions to match your project's specific security policies and acceptable risk profile.

What is it built with?

PythonGitHub ActionsClaude API

How does it compare?

anthropics/claude-code-security-reviewhephaest0s/usbkillinteguru-ai/integuru
Stars4,5884,5884,587
LanguagePythonPythonPython
Setup difficultyeasyeasymoderate
Complexity2/51/53/5
Audiencedeveloperops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires an Anthropic API key stored as a GitHub secret, paste one YAML snippet into your workflow and it's live.

Anthropic open-source project, check repository for exact license terms.

In plain English

This repository contains a GitHub Action built by Anthropic that automatically reviews pull requests for security problems using Claude, Anthropic's AI model. When a developer opens a pull request, the action runs Claude against the changed code and posts comments directly on the lines where it finds potential vulnerabilities. The tool focuses on a wide range of security issues: SQL injection, command injection, hardcoded secrets, authentication flaws, weak encryption, cross-site scripting, insecure configuration, and more. Unlike traditional security scanning tools that look for known patterns, this tool uses AI to understand what the code is actually doing in context, which the README says reduces false positives compared to pattern-only approaches. Setting it up requires adding a workflow file to your repository's GitHub Actions configuration and providing an Anthropic API key as a secret. The README includes a short YAML snippet showing exactly what to paste. Configuration options let you choose which Claude model to use, set a timeout, exclude directories from scanning, and provide custom instructions to tune what counts as a finding for your specific project. There is an important security caveat in the README: the action is not hardened against prompt injection, meaning a malicious contributor could potentially craft code or comments designed to manipulate the AI's output. Anthropic recommends configuring your repository to require maintainer approval before running workflows from external contributors. Beyond the GitHub Action, the same security analysis is also available as a slash command inside the Claude Code development tool, where running it locally checks all pending changes before they are even submitted as a pull request. The repository also includes an evaluation framework for testing the scanner against specific pull requests during local development.

Copy-paste prompts

Prompt 1
I want to add AI security review to my GitHub repo. Show me the exact GitHub Actions YAML workflow file to add, and where to store the ANTHROPIC_API_KEY secret.
Prompt 2
My team wants to exclude the tests/ directory and the docs/ folder from the claude-code-security-review action. Show me how to configure the exclusions in the workflow YAML.
Prompt 3
I'm setting up claude-code-security-review in a public repo with external contributors. What GitHub repository settings do I need to configure to prevent prompt injection attacks from malicious PRs?
Prompt 4
Show me how to write a custom instruction for the claude-code-security-review action that tells it to flag any use of MD5 or SHA1 for password hashing as a critical finding.
Prompt 5
I want to test the security scanner locally against a specific pull request before deploying it. Walk me through using the included evaluation framework from the command line.

Frequently asked questions

What is claude-code-security-review?

A GitHub Action by Anthropic that uses Claude AI to automatically review pull requests for security vulnerabilities and post inline comments on risky code.

What language is claude-code-security-review written in?

Mainly Python. The stack also includes Python, GitHub Actions, Claude API.

What license does claude-code-security-review use?

Anthropic open-source project, check repository for exact license terms.

How hard is claude-code-security-review to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is claude-code-security-review for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.