How Claude Code’s New Security‑Guidance Plugin Cuts Security Feedback by 30‑40%

Three review layers, each covering a stage

The security‑guidance plugin inserts automated security checks at three key points in Claude Code’s workflow, allowing the model to fix vulnerabilities without the developer needing to know the exact issue. Anthropic’s internal tests show a 30‑40% reduction in security‑related PR feedback.

Layer 1 – Pattern matching during file edit scans newly written content for roughly 25 known dangerous patterns, such as eval(), new Function, os.system, child_process.exec, unsafe deserialization ( pickle.load, torch.load(weights_only=False), yaml.load), DOM injection ( dangerouslySetInnerHTML, innerHTML =, document.write), hard‑coded keys, and workflow file edits. It uses pure regex/sub‑string matching, incurs zero extra cost, and adds warnings to Claude’s context. Each pattern triggers only once per file per session, and users can extend the list via a security‑patterns.yaml file.

Layer 2 – Diff review after each conversation round computes a git diff of all changes (including edits, Bash commands, and sub‑agents) once a round (user message + Claude reply) ends. The diff is sent to an independent LLM call—by default Claude Opus 4.7—for a deeper review that catches issues pattern matching misses, such as authorization bypass, IDOR, injection, SSRF, and weak encryption. Results are fed back to Claude, which repairs the code in the same session. The review caps at 30 changed files per round and yields after three rounds.

Layer 3 – Agentic commit review activates when Claude executes git commit or git push via the Bash tool. An SDK‑driven agentic review reads surrounding code, uses Read, Grep, and Glob to trace data flow, and confirms whether a finding is truly problematic. This layer captures cross‑file issues like IDOR, auth bypass, and cross‑file SSRF that pattern matching cannot detect. It is limited to 20 reviews per hour, only runs on Claude‑initiated commits, and suppresses duplicate warnings.

A key design detail is that the review model runs in a separate Claude instance; the pattern layer is deterministic, while the diff and commit reviews start with a fresh context and security‑specific prompts.

Installation and configuration

Install the plugin inside a Claude Code session with:

/plugin install security-guidance@claude-plugins-official

Choose the user scope to make the plugin available to all new sessions on that machine, then reload without restarting: /reload-plugins If the marketplace is not found, first add it:

/plugin marketplace add anthropics/claude-plugins-official

Prerequisites: Claude Code CLI ≥ v2.1.144, Python 3.8+, a Git repository (diff and commit reviews rely on Git state), and a valid API channel (Anthropic API key, Bedrock, Vertex, etc.). On first run the plugin creates a virtual environment under ~/.claude/security/ and installs the Claude Agent SDK. The web version does not load user‑level plugins automatically; to enable it project‑wide, add the following to .claude/settings.json:

{
  "enabledPlugins": {
    "security-guidance@claude-plugins-official": true
  }
}

Administrators can also enable the plugin via managed settings for an organization.

Custom rules

The plugin offers two extension points: a Markdown file for model‑review prompts and a YAML/JSON file for additional pattern matches. Users can add rules but cannot disable built‑in ones, which already cover common web vulnerabilities (injection, XSS, SSRF, hard‑coded keys, IDOR, auth bypass, unsafe deserialization, path traversal). Custom rules target project‑specific threats and are placed in .claude/claude-security-guidance.md using natural language to describe the threat model and checklist. Note that the third‑layer agentic review does not read this file.

Rules are advisory; they do not form a deterministic guardrail. To suppress a specific finding, add an inline comment explaining why the code is safe, or list systematic exclusions in the Markdown file.

Cost and control

The pattern‑matching layer has zero cost. Diff and commit reviews consume model tokens like regular Claude requests; commit reviews may involve multiple model rounds. Both default to Claude Opus 4.7, but the models can be changed via environment variables: SECURITY_REVIEW_MODEL for diff review and SG_AGENTIC_MODEL for commit review. Model IDs differ per provider (e.g., claude-opus-4-7 for Anthropic API, us.anthropic.claude-opus-4-7 for Bedrock, claude-opus-4-7@20260218 for Vertex).

Switching to Claude Sonnet 4.6 can reduce false positives; enabling high‑recall mode SG_DUAL_OR=on runs two parallel reviews and roughly doubles API cost, but captures a few extra percentage points of vulnerabilities.

The plugin is available on all paid Claude Code plans.

Data handling

Diff review sends changed file paths, diff snippets, and any related file contents to the model endpoint. Commit review also sends any files read via Read, Grep, or Glob. The content of claude-security-guidance.md is appended to each review prompt, so secrets must not be stored there.

Data is sent to the configured endpoint: by default api.anthropic.com (subject to Anthropic’s terms), or to a custom LLM gateway if ANTHROPIC_BASE_URL is set, or to third‑party providers (Bedrock, Vertex, Foundry, Mantle) under their respective data‑processing terms.

Limitations

The plugin is a best‑effort assistance tool, not a security guarantee. Findings are suggestions and do not replace manual code review, SAST/DAST, dependency scanning, or penetration testing. The review model may miss vulnerabilities or generate false positives, and its performance varies across codebases, languages, and model versions. No warranty is provided.

Overall, the security‑guidance plugin embeds security review directly into the coding flow—no PR, no CI—so developers see and fix issues as they write code, achieving a reported 30‑40% reduction in security feedback.