Automate security reviews with Claude Code

图片描述：一只手托着一个房子形状，房子内部有5个节点。

今天我们在 Claude Code 中推出了自动化安全审查功能。通过我们的 GitHub Actions 集成和新的 /security-review 命令，开发者可以轻松让 Claude 识别安全隐患，并自动修复它们。

随着开发者越来越依赖 AI 来加快交付速度并构建更复杂的系统，确保代码安全变得尤为重要。这些新功能让你可以将安全审查集成到现有工作流程中，帮助你在代码进入生产环境前发现漏洞。

新的 /security-review 命令允许你在提交代码前，从终端运行临时的安全分析。在 Claude Code 中运行该命令，Claude 会扫描你的代码库，查找潜在漏洞，并详细解释发现的问题。

该命令使用专门针对安全的提示，检查常见漏洞模式，包括：

• SQL 注入风险
• 跨站脚本攻击（XSS）漏洞
• 认证和授权缺陷
• 不安全的数据处理
• 依赖项漏洞

你还可以在识别出问题后，要求 Claude Code 实现修复。这让安全审查成为你开发流程的一部分，及早发现并修复问题，降低修复难度。

新的 Claude Code GitHub Action 进一步提升安全审查，自动分析每个新建的拉取请求。配置后，该 Action 会：

• 在新拉取请求创建时自动触发
• 审查代码变更中的安全漏洞
• 应用可定制规则过滤误报和已知问题
• 在 PR 中内联评论发现的安全隐患，并提供修复建议

这为整个团队创建了一致的安全审查流程，确保没有代码未经基础安全审查就进入生产环境。该 Action 可集成到现有 CI/CD 流水线，并可根据团队安全策略进行定制。

（附两张截图，展示 Claude Code 发现漏洞并在 GitHub 中发表评论的界面）

我们自己也在使用这些功能，保障团队交付到生产环境的代码安全，包括 Claude Code 本身。自从配置了 GitHub Action 后，已经发现并阻止了多起安全漏洞。

例如，上周团队为内部工具开发新功能，启动了一个本地 HTTP 服务器以接受本地连接。GitHub Action 发现了一个可通过 DNS 绑定攻击利用的远程代码执行漏洞，PR 合并前即被修复。

（附 GitHub 评论截图，显示远程代码执行漏洞）

另一个案例中，一位工程师构建了一个代理系统以安全管理内部凭证。GitHub Action 自动标记该代理存在 SSRF 攻击漏洞，我们及时修复了该问题。

（附 GitHub 评论截图，显示 SSRF 漏洞）

这两项功能现已对所有 Claude Code 用户开放。开始使用自动化安全审查：

• /security-review 命令：更新 Claude Code 至最新版本，在项目目录运行 /security-review。查看文档了解如何自定义命令
  [https://github.com/anthropics/claude-code-security-review/tree/main?tab=readme-ov-file#security-review-slash-command]
• GitHub Action：查看文档，获取安装和配置步骤
  [https://github.com/anthropics/claude-code-security-review]

Today we're introducing automated security reviews in Claude Code. Using our GitHub Actions integration and a new /security-review command, developers can easily ask Claude to identify security concerns—and then have it fix them.

As developers increasingly rely on AI to ship faster and build more complex systems, ensuring code security becomes even more critical. These new features let you integrate security reviews into your existing workflows, helping you catch vulnerabilities before they reach production.

Review code for vulnerabilities from your terminal

The new /security-review command lets you run ad-hoc security analyses from your terminal before committing code. Run the command in Claude Code, and Claude will search your codebase for potential vulnerabilities and provide detailed explanations of any issues found.

This command uses a specialized security-focused prompt that checks for common vulnerability patterns including:

• SQL injection risks
• Cross-site scripting (XSS) vulnerabilities
• Authentication and authorization flaws
• Insecure data handling
• Dependency vulnerabilities

You can also ask Claude Code to implement fixes for each issue after they’re identified. This keeps security reviews in your inner development loop, catching issues early when they're easiest to fix.

Automate security reviews for new pull requests

The new GitHub action for Claude Code takes security reviews a step further by automatically analyzing every pull request when it's opened. When configured, the action:

• Triggers automatically on new pull requests
• Reviews code changes for security vulnerabilities
• Applies customizable rules to filter out false-positives and known issues
• Posts comments inline on the PR with any concerns found, including recommendations for fixes

This creates a consistent security review process across your entire team, ensuring no code reaches production without a baseline security review. The action integrates with your existing CI/CD pipeline and can be customized to match your team's security policies.

Improving product security at Anthropic

We're using these features ourselves to help secure the code our team ships to production, including Claude Code itself. Since setting up the GitHub action, this has already caught security vulnerabilities in our own code and prevented them from being shipped.

For example, last week, our team built a new feature for an internal tool that relied on starting a local HTTP server meant to accept local connections. The GitHub action identified a remote code execution vulnerability exploitable through DNS rebinding and it was fixed before the PR was ever merged.

In another case, an engineer built a proxy system to enable secure management of internal credentials. The GitHub action automatically flagged that this proxy was vulnerable to SSRF attacks, and we promptly fixed this issue.

Getting started

Both features are available now for all Claude Code users. To start using automated security reviews:

• For the /security-review command: Simply update Claude Code to the latest version and run /security-review in your project directory. See the documentation to customize your own version of the command
• For the GitHub action: See the documentation for step-by-step installation and configuration instructions

Generated by RSStT. The copyright belongs to the original author.

Source