記事一覧に戻る
Anthropic Ships security-guidance Plugin for Claude Code: Three-Layer Reviews That Cut PR Security Comments by 30-40%

Anthropic Ships security-guidance Plugin for Claude Code: Three-Layer Reviews That Cut PR Security Comments by 30-40%

ZenChAIne·
Claude CodeAI SecurityPlugin

Introduction

Anthropic released the official Claude Code plugin security-guidance on May 27, 2026 (PC Watch coverage; the @ClaudeDevs X thread went live on May 26). The plugin makes Claude review its own code as it writes, then fix the findings inside the same session.

The shift is from "PR opens → a human reviews for security" to "catch it in the loop, before it ever reaches the PR". Anthropic's internal rollout reports a 30–40% reduction in security-related PR comments on changes opened with the plugin.

Key Takeaways

  • Official Claude Code plugin, available to all users for free. Install with /plugin install security-guidance@claude-plugins-official
  • Three review layers: ① per-edit pattern match (no model cost) → ② end-of-turn diff review (model call) → ③ agentic commit review (reads surrounding code)
  • ① catches eval, pickle, dangerouslySetInnerHTML, .github/workflows/ edits, and similar deterministic risk patterns
  • ② catches authorization bypass, IDOR, injection, SSRF, weak cryptography — issues a regex cannot see
  • ③ reads callers and sanitizers to keep false positives down
  • Extend with .claude/claude-security-guidance.md (markdown guidance) and .claude/security-patterns.yaml (regex/substring rules)
  • All plans, free; Anthropic internal: 30–40% drop in security-related PR comments

What is the security-guidance Plugin?

security-guidance reviews the code Claude writes at three lifecycle points and feeds findings back so Claude fixes them in the same session. It is published in the official marketplace (claude-plugins-official) and discoverable via the /plugins command.

Anthropic positions it as one layer in a defense-in-depth stack:

StageToolWhat it covers
In sessionsecurity-guidance plugin (this article)Common vulnerabilities in code Claude writes, fixed in the same session
On demand/security-reviewOne-time security pass on the current branch
On PRCode Review (Team / Enterprise plans)Multi-agent correctness + security review
In CIExisting SAST and dependency scannersLanguage-specific rules, supply-chain checks

The plugin's job is to reduce the volume that reaches the later stages, not to replace them.

The Three Review Layers

The plugin runs on Claude Code's hooks system, attached at three lifecycle points with different depths.

① On each file edit — per-edit pattern match (free)

After Claude writes to a file via Edit / Write / NotebookEdit, the plugin scans the new content using deterministic regex/substring matches with no model call. Zero cost.

Built-in pattern categories:

  • Dynamic code execution: eval(, new Function, os.system, child_process.exec
  • Unsafe deserialization: pickle
  • DOM injection: dangerouslySetInnerHTML, .innerHTML =, document.write
  • Workflow files: edits under .github/workflows/ (these can grant repository-level permissions)

A match is appended to Claude's next-step context. Each warning fires once per pattern per file per session, so repeat matches don't flood the conversation.

② At the end of each turn — end-of-turn diff review

When Claude finishes a turn, the plugin computes a git diff of everything that changed in the working tree during that turn — including Claude's edit tools, Bash commands, and subagent work — and sends it to a separate Claude instance for a security-focused review.

The review runs in the background so Claude's reply is not delayed. If issues are found, Claude is re-prompted and addresses them as a follow-up.

This layer catches problems a string match cannot:

  • Authorization bypass and Insecure Direct Object References (IDOR)
  • Injection and Server-Side Request Forgery (SSRF)
  • Weak cryptography

Limits: up to 30 changed files per turn, at most three consecutive reviews before control returns to you.

③ On each commit or push — agentic review

When Claude runs git commit or git push via its Bash tool, the plugin runs a deeper agentic review that reads surrounding code (callers, sanitizers, related files). The added context drops false positives on patterns that look risky in isolation but are safe in your code.

Notes:

  • Only fires on commits/pushes Claude makes via its Bash tool. Commits you run from your own shell, including the ! shell escape inside a session, are not reviewed.
  • Capped at 20 reviews per rolling hour
  • If findings duplicate the end-of-turn review, Claude is not re-prompted, so a clean commit produces no output

Review independence

The per-edit layer is a deterministic string match — no model involved. The end-of-turn and commit reviews run as separate Claude calls with a fresh context and a security-focused prompt: the reviewer starts from the diff, has no investment in the original approach, and is told only to find problems.

None of the three layers block writes or commits. Findings reach Claude as instructions, and Claude addresses them in the conversation. The review model can still miss issues — treat the plugin as one layer of defense in depth, not a complete solution.

Install and Enable

Prerequisites

  • Claude Code CLI 2.1.144 or later
  • Python 3.8+ on PATH (the plugin tries python3, python, py -3 in that order)
  • A git repository for your working directory (the end-of-turn and commit reviews require git state; per-edit works anywhere)
  • On first run the plugin creates a venv under ~/.claude/security/ and installs the Claude Agent SDK (needs pip and network). If install fails, the commit review falls back to single-shot mode
  • On Windows the venv step is skipped, so the agentic commit review only runs if claude-agent-sdk is already importable

Install command

In a Claude Code session:

bash
/plugin install security-guidance@claude-plugins-official

Pick user scope at the prompt to load the plugin in every session on this machine. If Claude Code reports the marketplace is missing, add it first:

bash
/plugin marketplace add anthropics/claude-plugins-official

Then activate it in the current session without restarting:

bash
/reload-plugins

Enable in cloud sessions and shared repositories

User-scoped plugins do not carry into Claude Code on the web. To enable for the team or in cloud sessions, declare it in checked-in settings:

json
{
  "enabledPlugins": {
    "security-guidance@claude-plugins-official": true
  }
}

Administrators can roll the plugin out organization-wide via managed settings.

Adding Your Own Rules

The plugin has two extension points. Built-in checks cannot be removed individually, but you can add your own.

Guidance for model-backed reviews (.md)

Drop .claude/claude-security-guidance.md in your project and describe the threat model and review checklist in plain language. Both the end-of-turn and commit reviews load it alongside the built-in checklist.

markdown
# Security guidance for this repo
 
- Do not log `customer_id` or `account_number` at INFO level or above.
- All routes under `/admin` must call `require_role("admin")` before any database read.
- Use `crypto.timingSafeEqual` for token comparison instead of `===`.

Lookup locations (loaded and concatenated, 8 KB combined cap):

ScopePathNotes
User~/.claude/claude-security-guidance.mdApplies to every project on this machine
Project.claude/claude-security-guidance.mdChecked into the repository
Project local.claude/claude-security-guidance.local.mdGitignored, for personal overrides

Administrators can ship the user-scope file via MDM for organization-wide rules.

Per-edit pattern rules (.yaml)

Add .claude/security-patterns.yaml (also .yml or .json) for regex/substring rules that run alongside the built-in patterns:

yaml
patterns:
  - rule_name: internal_api_key
    substrings: ["sk_live_", "AKIA"]
    reminder: "Hardcoded API key prefix. Load credentials from the secret manager."
  - rule_name: tenant_unfiltered_query
    regex: "\\.objects\\.all\\(\\)"
    paths: ["**/src/tenants/**"]
    reminder: "Multi-tenant code must filter by org_id."

Schema highlights:

FieldTypeDescription
rule_namestringIdentifier shown in the warning
reminderstringWarning text appended to Claude's context (1 KB cap)
regexstringPython regex against the edited content
substringslistLiteral substrings (provide regex or substrings)
pathslistGlobs limiting matched files (prefix project-relative globs with **/)
exclude_pathslistGlobs to skip

Up to 50 custom rules; regexes prone to catastrophic backtracking are silently skipped. YAML requires PyYAML; the JSON form works on any Python install.

Cost and Disable Flags

Cost

  • Per-edit: no model call, no extra cost
  • End-of-turn: standard model usage, roughly one review call per file-changing turn
  • Commit: agentic, multi-turn; capped at 20 per rolling hour

The model-backed reviews default to Claude Opus 4.7. Override with SECURITY_REVIEW_MODEL (end-of-turn) or SG_AGENTIC_MODEL (commit). The plugin is available on all plans for free.

Disabling layers

Env varEffect
ENABLE_PATTERN_RULES=0Disable per-edit pattern check
ENABLE_STOP_REVIEW=0Disable end-of-turn review
ENABLE_COMMIT_REVIEW=0Disable commit / push review
ENABLE_CODE_SECURITY_REVIEW=0Disable all model-backed reviews at once
SECURITY_GUIDANCE_DISABLE=1Disable the plugin entirely without uninstalling

Full pause / removal:

bash
/plugin disable security-guidance@claude-plugins-official
/plugin uninstall security-guidance@claude-plugins-official

If the plugin was enabled through a project's .claude/settings.json, /plugin disable writes an override to .claude/settings.local.json rather than editing the checked-in file — you can stay off while teammates are unaffected.

FAQ

Q. Do I still need SAST in CI?

A. Yes. The plugin runs before CI, not instead of it. CI's language-specific rules and dependency scanners are still required. The plugin lowers the volume that reaches them — Anthropic reports a 30–40% reduction in security-related PR comments.

Q. Does the plugin block writes or commits?

A. No. Findings flow back to Claude as instructions. For hard enforcement, pair the plugin with a hook that blocks edits or a CI check.

Q. Does the review only see code Claude wrote?

A. The end-of-turn review sees the entire working-tree diff for the turn (Claude's Edit tools, Bash commands, and subagent work all included). The commit review only fires on commits/pushes Claude runs via its Bash tool — commits you run from your own shell are not reviewed.

Q. How do I debug missing reviews?

A. The plugin writes diagnostics to ~/.claude/security/log.txt. Common reasons a layer silently skips: ① the directory is not a git repository (only per-edit will run), ② the session lacks Anthropic authentication (model-backed reviews skip), ③ security-patterns.yaml is present but PyYAML is not importable (use .json instead).

Q. How do I roll out org-specific rules?

A. Commit .claude/claude-security-guidance.md for the team. For machine-wide distribution, push ~/.claude/claude-security-guidance.md via MDM. Administrators can also force-enable the plugin organization-wide via managed settings.

Summary

security-guidance is the in-session companion to PR-time review. By attaching to Claude Code hooks at three lifecycle points — file edit, end of turn, and commit — it tightens the feedback loop so vulnerabilities get caught and fixed before a PR opens. The per-edit layer is free and deterministic; the end-of-turn and commit layers spend a separate Claude call on a security-focused review.

The headline number — a 30–40% drop in security-related PR comments inside Anthropic — speaks to both reviewer load and developer velocity. Run /plugin install security-guidance@claude-plugins-official to try it. At ZenChAIne we are folding it into the multi-layer defense around our Spec-Driven Development workflow (spec-review, review_rules.md, and existing CI scanners), with the plugin sitting at the earliest possible point in that chain.

References

🇯🇵 日本語で読む