clauding.de
DE
3 min read AI-generated

Claude Code Gets a Free Security Plugin — And It Actually Works

Copy article as Markdown

Anthropic released a free security plugin for Claude Code that catches vulnerabilities in real-time. Internal testing shows 30-40% fewer security comments in pull requests.

Claude Code Security Plugin Developer Anthropic
Featured image for "Claude Code Gets a Free Security Plugin — And It Actually Works"

If you’ve been using Claude Code, you know the drill: you write code, it works, you push — and then code review catches that you left an eval() somewhere or an innerHTML is wide open. Not catastrophic, but annoying. And potentially dangerous.

Anthropic just released a plugin that tackles exactly this. The Security-Guidance Plugin runs directly inside Claude Code and monitors your code at three levels: on every file edit, after every model turn, and before every commit.

What the plugin actually does

The first level is a fast, deterministic pattern match with no model call. It flags dangerous constructs like eval(), new Function(), os.system(), child_process.exec(), pickle deserialization, and DOM injection vectors like dangerouslySetInnerHTML. This runs in milliseconds and costs zero tokens.

The second level kicks in after model turns and uses Claude to understand context. Is that eval() running inside a sandbox? Is the input sanitized beforehand? This isn’t dumb pattern matching — it’s semantic understanding of what the code actually does.

The third level runs before commits and performs a final security sweep across all changes.

The numbers are compelling

During Anthropic’s internal rollout, the plugin reduced security-related comments on pull requests by 30 to 40 percent. That might sound modest, but anyone who’s done security reviews knows: each of those comments costs time — for the reviewer and the developer.

The plugin complements Claude Code’s existing code review feature, available since version 2.1.147. While /code-review analyzes pull requests after they’re opened, the security plugin catches issues before they ever reach the PR.

Installation and customization

The plugin is available to all Claude Code users via /plugins. Requirements are Claude Code version 2.1.144 or later and Python 3.8 on your system.

Especially useful for teams: you can define org-specific rules through a claude-security-guidance.md file in your repository. If your team allows certain patterns or needs additional checks, you can configure that.

The bigger picture

The security plugin is a smart move from Anthropic. It solves a real problem — vulnerabilities that only get caught in review — and makes Claude Code more complete as a developer tool. It also shows how the plugin ecosystem is maturing: Anthropic isn’t building everything in-house but is providing the infrastructure and filling it with genuinely useful extensions.

For solo developers, this plugin is a no-brainer. For teams, it could meaningfully reduce the security review burden. And for Anthropic, it’s another piece in the puzzle of building the best coding platform on the market.

Sources: