Claude Code Gets Free Security Plugin to Detect Vulnerabilities - cyberpress.org

Claude Code Gets Free Security Plugin to Detect Vulnerabilities By Lucas Martin May 27, 2026 Categories: Cyber AICyber Security News Anthropic has launched a dedicated security-guidance plugin for its Claude Code terminal tool, enabling real-time, in-session vulnerability detection and remediation, shifting security left before code ever reaches a pull request. The plugin is now available free to all users across all Claude plans and installs with a single command in any active Claude Code session. It marks a significant step toward autonomous secure coding, with Claude reviewing its own edits, model outputs, and commits without requiring any separate invocation from the developer. The security-guidance plugin operates across distinct review layers, each providing a progressively deeper level of analysis. Free Security Plugin to Detect Vulnerabilities On every file write, a fast, zero-cost deterministic pattern scan fires instantly, no model call required, flagging known risky constructs like eval(), os.system(), pickle deserialization, dangerouslySetInnerHTML, and edits to .github/workflows/ files that can grant repository-level permissions. After each complete Claude response turn, a separate Claude model instance takes over to perform an end-of-turn diff review, examining the full git diff of all changes made during that turn. This deeper model-backed pass catches logic-level issues that string matching cannot, including authorization bypasses, server-side request forgery (SSRF), insecure direct object references, injection vulnerabilities, and weak cryptography. When Claude executes a git commit or git push through its Bash tool, an agentic review reads surrounding callers, sanitizers, and related files to verify whether a finding is genuinely dangerous before surfacing it, keeping false-positive noise low in complex codebases. A critical architectural decision underpins the plugin’s reliability: neither the end-of-turn nor the commit review uses the same Claude instance that wrote the code. Both run from a fresh context window with a security-focused prompt, removing any bias the writing model might carry toward its own output. Both model-backed reviews use Claude Opus 4.7 by default, with commit reviews capped at 20 per rolling hour and end-of-turn reviews firing at most 3 consecutive times before returning control to the developer. Developers install the plugin directly inside a Claude Code session via /plugin install security-guidance@claude-plugins-official, followed by /reload-plugins to activate it without a restart. WE’VE SHIPPED A SECURITY-GUIDANCE PLUGIN FOR CLAUDE CODE THAT HELPS IDENTIFY AND FIX VULNERABILITIES AS YOU’RE WRITING CODE. AVAILABLE FOR ALL CLAUDE CODE USERS. INSTALL FROM THE PLUGIN MARKETPLACE (/PLUGINS). PIC.TWITTER.COM/LPRGC4M6KF — ClaudeDevs (@ClaudeDevs) May 26, 2026 The prerequisites are Claude Code CLI version 2.1.144 or later and Python 3.8+ on the system PATH. For cloud sessions or shared repositories, teams can enable the plugin for every contributor by committing an enabledPlugins key to .claude/settings.json, and administrators can deploy it organization-wide through managed settings. Teams extend the plugin through two repo-level configuration files without touching the built-in ruleset. A .claude/claude-security-guidance.md file accepts plain-language threat model descriptions loaded as additional context by model-backed reviewers, while .claude/security-patterns.yaml adds custom regex or substring rules to the per-edit scan, supporting glob-based path scoping and up to 50 custom rules per project. Built-in patterns cannot be suppressed through these files, according to Claude, preserving a baseline security posture even in heavily customized environments. Internal testing showed security comments on pull requests dropping by 30–40% following the plugin’s introduction, validating its design goal of intercepting vulnerabilities before they surface in downstream code review workflows. The open-sourced reference repository at anthropics/claude-code-security-review demonstrates agents autonomously hunting and patching issues, pointing toward a future where secure-by-default AI-assisted coding becomes the standard. Industry leaders have praised the shift toward embedding security guidance at the point of code creation rather than catching issues after the fact. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Lucas Martinhttps://cyberpress.org/ Lucas Martin is an Investigative cybersecurity journalist dedicated to breaking stories on ransomware cartels, data breaches, and state-sponsored espionage. Recent Articles New Pedit COW Linux Kernel Flaw Lets Local Users Gain Root Access Cyber Security News June 27, 2026 Amazon Q VS Code Flaw Lets Malicious Repositories Steal Cloud Credentials Cyber Security News June 27, 2026 DirtyClone Linux Kernel LPE Flaw Lets Local Users Gain Root Access Cyber Security News June 27, 2026 Cloud Bucket Hijacking Technique Lets Attackers Reroute Logs and Sensitive Data Cyber Security News June 27, 2026 Anthropic Restores Claude Mythos 5 Access for U.S. Cyber Defense Organizations Cyber Security News June 27, 2026 Related Stories Cyber Security News New Pedit COW Linux Kernel Flaw Lets Local Users Gain Root Access Lucas Martin - June 27, 2026 Cyber Security News Amazon Q VS Code Flaw Lets Malicious Repositories Steal Cloud Credentials Lucas Martin - June 27, 2026 Cyber Security News DirtyClone Linux Kernel LPE Flaw Lets Local Users Gain Root Access Lucas Martin - June 27, 2026 Cyber Security News Cloud Bucket Hijacking Technique Lets Attackers Reroute Logs and Sensitive Data Lucas Martin - June 27, 2026 Cyber Security News Anthropic Restores Claude Mythos 5 Access for U.S. Cyber Defense Organizations Lucas Martin - June 27, 2026 Cyber Security News Japan Defense Forces Used China-Linked Malware USB Drives on Classified Systems Lucas Martin - June 26, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: