Anthropic Launches Security Guidance Plugin to Fix Vulnerabilities in Claude Code

May 27, 2026

Anthropic shipped the security-guidance plugin for Claude Code, a terminal-based agentic coding tool. The plugin introduces a multi-layered defense that scans for risks like injection and unsafe deserialization (converting data back into objects) in real-time. It operates automatically within the session, requiring no manual commands to trigger reviews.

Review model: Claude Opus 4.7
Internal PR impact: 30-40% fewer security comments
Detection layers: Pattern match, turn diff, agentic commit review
Customization: Markdown and YAML rule files
Availability: All Claude Code users

It extends the Claude Code Security scanner by moving protection directly into the Claude Code Auto Mode workflow. By catching flaws before they reach a pull request, teams can maintain development velocity without compromising on safety standards.

You can install the plugin via the marketplace and customize it with a claude-security-guidance.md file for organization-specific policies. The tool is available to all users and uses Claude Opus 4.7 for background reviews. While pattern matching is free, model-backed reviews count toward standard usage limits.

View the full update on code.claude.com

ClaudeDevs

@ClaudeDevs9h ago

We’ve shipped a security-guidance plugin for Claude Code that helps identify and fix vulnerabilities as you’re writing code. Available for all Claude Code users. Install from the plugin marketplace (/plugins). https://t.co/LprgC4m6Kf

8359.5k

View on X

Still wondering? A few quick answers below.

The security guidance plugin is an official extension for Anthropic's Claude Code CLI that identifies and fixes vulnerabilities in real-time. It uses a combination of fast pattern matching and deep agentic reasoning to review code changes as they are written, helping developers catch security flaws before they reach the pull request stage.

The plugin operates across three distinct layers. It performs a fast string match on every file edit to catch risky patterns, runs a background model review of git diffs at the end of each turn, and executes a deep agentic review during commits. This multi-staged approach ensures that both simple and complex logic errors are identified.

Yes, you can add organization-specific rules by creating a markdown file named claude-security-guidance.md in your project directory. This file allows you to define custom threat models and checklists that the model-backed reviews will follow. You can also add custom regex patterns for the per-edit check using a YAML or JSON configuration file.

The plugin is available to all Claude Code users across all plans. While the initial pattern matching layer is free and adds no usage cost, the model-backed reviews at the end of turns and commits consume model usage. These reviews count toward your standard Claude usage limits just like any other request.

The plugin is available for all Claude Code users and can be installed directly from the official Anthropic marketplace. It requires Claude Code CLI version 2.1.144 or later and a Python environment. While it works in local sessions, administrators can also enable it organization-wide through managed settings for shared repositories.