Anthropic Unveils Free Security Plugin for Claude Code Terminal to Enhance Real-Time Vulnerability Detection
Anthropic has introduced a new security-guidance plugin for its Claude Code terminal tool, designed to autonomously review code edits, model outputs, and commits in real time. This initiative aims to identify and address vulnerabilities during the development process, preventing them from reaching production environments. The plugin is available at no cost to all users across various plans, underscoring Anthropic’s commitment to integrating security measures early in the AI-assisted development workflow.
Three-Tiered Security Review Mechanism
The security-guidance plugin employs a comprehensive three-layered approach to detect potential threats at different stages of the coding session:
1. Immediate Code Edit Analysis: Upon each file modification, the plugin performs a swift, deterministic pattern match without invoking the AI model. This process flags potentially hazardous constructs such as `eval()`, `new Function()`, `os.system()`, `child_process.exec()`, `pickle` deserialization, and DOM injection vectors like `dangerouslySetInnerHTML` and `.innerHTML=`. Since this layer operates without AI inference, it incurs no additional usage costs.
2. Post-Edit Conversational Review: After each coding session, a separate Claude model reviews the complete git diff of all changes made during that session. This independent reviewer, starting with a fresh context, identifies logic-level vulnerabilities that simple pattern matching might overlook. These include issues like authorization bypasses, insecure direct object references, server-side request forgery, and weak cryptographic practices.
3. Commit and Push Analysis: When code is committed or pushed using Claude’s Bash tool, the plugin conducts an in-depth agentic review. This process examines surrounding callers, sanitizers, and related files to minimize false positives, ensuring a thorough security assessment.
Internal evaluations have demonstrated that the plugin reduces security-related comments on pull requests by 30–40%, serving as an in-session companion to Claude Code’s existing pull request Code Review feature.
Integration and Customization
The plugin is powered by Claude Opus 4.7 by default for both the post-edit and commit reviews. However, developers have the flexibility to configure alternative models through the `SECURITY_REVIEW_MODEL` and `SG_AGENTIC_MODEL` environment variables.
Industry leaders have lauded this proactive approach. Executives, including J.P. Morgan’s Shalini Goyal, have emphasized the value of embedding security guidance directly into the coding session, moving away from traditional downstream review cycles.
Installation and Configuration
Installing the plugin is straightforward and can be accomplished with a single command within a Claude Code session:
“`
/plugin install security-guidance@claude-plugins-official
/reload-plugins
“`
Developers can further tailor the plugin’s behavior using two repository-level files:
– `.claude/claude-security-guidance.md`: Contains plain-language threat model rules provided to the model reviewers.
– `.claude/security-patterns.yaml`: Houses custom regex or substring patterns applied during the per-edit check.
Organizations can enforce the plugin across all team members by specifying it in `.claude/settings.json`. Administrators also have the capability to deploy it organization-wide through managed settings.
The plugin requires Claude Code CLI version 2.1.144 or later and Python 3.8+ on the system PATH. Upon the initial run, it creates a virtual environment to ensure seamless operation.
Conclusion
Anthropic’s release of the free security-guidance plugin for Claude Code represents a significant advancement in integrating security measures directly into the development process. By providing real-time, multi-layered vulnerability detection, the plugin empowers developers to address security concerns proactively, enhancing the overall integrity and reliability of their codebases.
