What Claude Code’s Security Guidance Plugin Does
Claude Code’s Security Guidance Plugin is an AI-powered vulnerability detection plugin that performs real-time security scanning on code changes, flagging risky patterns and suggesting fixes while developers write code in the same session. Anthropic designed this new Claude Code security feature to act as a lightweight first pass before traditional reviews, focusing on catching injection flaws, unsafe deserialization, and insecure DOM APIs before code reaches pull requests. Instead of running a separate AI code review tool after the fact, the plugin automatically attaches to Claude Code sessions and quietly reviews edits in the background. It is available on all plans, free to install from the plugin marketplace, and runs instant checks without consuming model calls. For deeper analysis, it uses the same usage budget as normal Claude requests, integrating security into the existing workflow rather than adding another standalone step.
Three Layers of Real-Time Security Scanning
The Security Guidance Plugin is built around three review stages that align with how developers work. The first layer runs during file edits and uses pattern-based checks without calling a model, scanning for constructs such as eval(), new Function(), os.system(), child_process.exec(), and unsafe DOM patterns like dangerouslySetInnerHTML or direct innerHTML assignments. The second layer runs after each model turn, when Claude has generated new code. At that point, the plugin examines the full git diff from the session to find more subtle issues, including authorization bypass, insecure direct object references, injection flaws, server-side request forgery, and weak cryptography. The deepest review occurs when Claude uses its Bash tool to commit or push. Here, the plugin inspects surrounding files, sanitizers, and related code paths to validate potential vulnerabilities and reduce false positives before changes are finalized.
How It Fits into Everyday Developer Workflows
In practice, the plugin turns Claude Code security checks into a background process that follows the same steps developers already take. Once installed, it runs automatically during development sessions, so there is no extra command to remember or separate scanner to launch. When you edit a file, Claude’s lightweight layer alerts you if you add a dangerous function call or insecure DOM operation. After you ask Claude to generate or refactor code, the AI code review step kicks in, evaluating the resulting diff before you even open a pull request. During commits or pushes triggered through Claude’s Bash tool, the plugin treats the change set as a mini security review, assessing context and sanitization paths. According to Anthropic, this integration has led to “a 30–40% decrease in security-related comments on PRs opened using the plugin,” easing pressure on later code review stages.
Custom Rules, Requirements, and Best Practices
Beyond its built-in rules, the vulnerability detection plugin supports organization-specific policies. Teams can define security guidelines in a claude-security-guidance.md file, place it in their repositories or distribute it via device management, and the plugin will enforce those custom checks alongside the defaults. All users can install the plugin via the /plugins marketplace, but there are a few technical requirements: Claude Code version 2.1.144 or later and Python 3.8 or newer. The deeper diff-based and commit-based reviews only run inside git repositories, while the lightweight pattern checks work in any directory, making them suitable even for small scripts or prototypes. To get the most value, teams should treat the plugin as an always-on guardrail, still pairing it with manual review and dedicated security testing. Used this way, it can catch many mistakes early without replacing expert oversight.