Claude Code Security Review: a GitHub tool to automate code security vulnerability scanning

Claude Code Security Review is a program developed by Anthropic GitHub Action is a tool developed to automate the scanning of code for security vulnerabilities. It leverages the powerful semantic analysis capabilities of the Claude AI model to perform in-depth security reviews of code changes in Pull Requests. The tool analyzes code semantics to detect potential security risks such as SQL injection, elevation of privilege, hard-coded keys, etc., and automatically generates a detailed comment in the GitHub pull request with a description of the issue, a severity rating, and a recommendation for fixing it. It supports all programming languages, reduces false positives, and is suitable for developers to quickly find and fix security issues during the development process. The tool is easy to integrate into existing workflows, ensuring that code is more secure before it is committed to the production environment.

Function List

• Automated Security Review: Automatically scan code changes in GitHub pull requests to detect potential security vulnerabilities.
• Semantic Analysis: Leverage Claude AI to understand code context and go beyond traditional pattern matching to provide more accurate vulnerability detection.
• Pull Request Comments: Automatically generate detailed security issue comments in pull requests, including issue descriptions, severity ratings, and remediation recommendations.
• Multi-language support: for any programming language, no language-specific configuration is required.
• False Alarm Filtering: Advanced algorithms reduce low-impact or false alarm detection results and improve review efficiency.
• Customizable Scanning: Supports user-defined security review rules to adapt to specific project needs.
• Command line support: provides /security-review command that allows developers to manually trigger security scans in the terminal.

Using Help

Installation process

To use Claude Code Security Review, you first need to integrate it into the workflow of your GitHub repository. Here are the detailed installation steps:

1. preliminary::
   • Make sure your GitHub repository has GitHub Actions enabled.
   • Get the Anthropic API key. Access the Anthropic console to get the key.
   • In the GitHub repository's Settings > Secrets and variables > Actions In the New repository secret, add a file named ANTHROPIC_API_KEY key, fill in your Anthropic API key.
2. Configuring GitHub Action::
   • In the root directory of the repository, create the .github/workflows/ Folder.
   • Create a YAML file (e.g. security-review.yml) and copy the following sample code:

     name: Security Review
     on:
     pull_request:
     types: [opened, synchronize]
     jobs:
     security:
     runs-on: ubuntu-latest
     permissions:
     pull-requests: write
     contents: read
     steps:
     - uses: actions/checkout@v4
     with:
     ref: ${{ github.event.pull_request.head.sha }}
     fetch-depth: 2
     - uses: anthropics/claude-code-security-review@main
     with:
     comment-pr: true
     claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
     

   • Save the file and submit it to the repository. Each time a pull request is triggered, the tool will automatically run and scan the code.
3. Manual trigger (optional)::
   • Install the Claude Code CLI (command line tool) locally. Run the following command:

     npm install -g @anthropic-ai/claude-code
     

   • Navigate to the project directory and run:

     claude
     

   • In the Claude Code terminal, type /security-reviewThe security scan can be triggered manually.

Functional operation flow

1. Automated pull request review

When a developer submits a pull request, Claude Code Security Review automatically kicks in and analyzes the changed code files. It will:

• Scan code for potential vulnerabilities such as SQL injection, cross-site scripting attacks (XSS), hard-coded keys, and more.
• Generate a detailed report in the comment section of the pull request listing the line of code, problem description, severity rating, and fix recommendation for each issue. Example:

  ## Claude Code Review
  **文件**: src/auth.js
  **行号**: 42
  **问题**: 检测到硬编码密钥，可能导致敏感信息泄露。
  **严重性**: 高
  **建议**: 将密钥移至环境变量，使用安全的密钥管理工具。
  *Generated by Claude Code*
  

• Developers can modify the code directly based on the comments, fix the problem and resubmit it, and the tool will scan it again.

2. Manual operation /security-review

During the development process, developers can locally use the /security-review command to perform a security check:

• Make sure the project directory is a Git repository (run git init (Initialization).
• Start the Claude Code CLI and enter /security-reviewThe
• The tool analyzes the current Git staging area (git diff --staged) of code changes to generate security reports.
• If the directory is not a Git repository, the command will throw an error with "fatal: not a git repository". It is recommended to run git initThe

3. Customized security rules

Developers can customize security clearance rules to fit specific needs:

• In the project root directory, create the .claude/commands/ Folder.
• Copy the official repository for the security-review.md file to that folder.
• compiler security-review.md, add specific rules, such as ignoring certain types of false positives or adding organization-specific checks.
• Example custom rule:

  Review this code for security vulnerabilities, ignoring minor linting issues.
  Focus on: SQL injection, XSS, and hardcoded credentials.
  

• Save and re-run /security-reviewThe tool will be implemented according to the new rules.

4. False alarm filtering and optimization

The tool has a built-in advanced false alarm filtering mechanism to reduce unnecessary warnings. Developers can further optimize it:

• exist security-review.md to add filtering rules, such as ignoring specific files or patterns.
• utilization allowed_tools Parameters restrict the commands executed by the tool, for example:

  allowed_tools: "Bash(git diff:*),View,GlobTool,GrepTool"
  

caveat

• Ensure that API keys are stored securely to avoid leakage.
• Regularly update the Claude Code CLI and GitHub Action to the latest version for the latest security rules and fixes.
• If you encounter /security-review Failure, make sure the project directory is a Git repository and Claude Code is installed correctly.

application scenario

1. Security checks in rapid development
   Developers who are rapidly iterating code use Claude Code Security Review to automatically scan pull requests to ensure that new code doesn't introduce security vulnerabilities, saving time on manual reviews.
2. Code Review in Teamwork
   Development teams integrate tools into their GitHub workflows to automatically generate security reports for each pull request, helping team members focus on architectural issues rather than low-level vulnerabilities.
3. Legacy Code Maintenance
   When performing maintenance on an old code base, use the /security-review command scans the code and finds hidden security issues such as outdated encryption algorithms or insecure privilege controls.
4. Compliance requirements
   Organizations needing to meet stringent compliance standards (e.g., SOC 2, ISO 27001) use the tool to ensure that code meets security specifications, generating a traceable record of security reviews.

QA

1. What types of security vulnerabilities does Claude Code Security Review support?
   The tool detects a wide range of vulnerabilities including SQL injection, command injection, cross-site scripting attacks (XSS), elevation of privilege, hard-coded keys, sensitive data leakage, weak encryption algorithms, and more. It provides more accurate detection results through semantic analysis.
2. How can false alarms be reduced?
   The tool has a built-in false positive filtering mechanism. Users can edit the .claude/commands/security-review.md file, adding specific rules or ignoring certain low-priority issues to further optimize the results.
3. Does it require specific programming language support?
   Not required. Tool is language-agnostic, works with any programming language, and directly analyzes the semantics of code changes.
4. How to use it in non-Git repositories /security-review?
   The current version requires the project directory to be a Git repository. If it is not a Git repository, you need to run git init Initialization.
5. How do I secure my API keys?
   Store the key in the GitHub Actions encryption variable (ANTHROPIC_API_KEY), avoid hard-coding in code or configuration files.