AI Agents, News & Updates, Code Editors

Anthropic Ships Free Claude Code Security Plugin to Catch Vulnerabilities in Real Time

Anthropic's new Security Guidance plugin for Claude Code automatically scans code changes for injection flaws, unsafe deserialization, and 25+ dangerous patterns before they reach pull requests — free for all users on every plan.

3 min read
Anthropic Ships Free Claude Code Security Plugin to Catch Vulnerabilities in Real Time

Image by CWA

Anthropic Ships Free Claude Code Security Plugin to Catch Vulnerabilities in Real Time

Anthropic shipped a free Security Guidance plugin for Claude Code on May 26, garnering more than 157,000 downloads in its first 24 hours — a signal that developers running AI-generated code have been waiting for exactly this kind of safeguard.

The plugin integrates directly into Claude Code's development session and automatically scans code changes for common vulnerabilities across three distinct checkpoints: on file edits, after AI-generated changes, and at commit time. Developers do not need to launch a separate tool or run an additional command; once installed via /plugins in Claude Code, it runs quietly in the background on every session.

What the Plugin Actually Catches

The first review stage runs a fast, deterministic regex-based pattern match on every file edit — no model call, no usage cost. It flags roughly 25 dangerous constructs including eval(), new Function(), os.system(), child_process.exec(), pickle deserialization, and DOM injection vectors like dangerouslySetInnerHTML and .innerHTML=. Because this layer requires no AI inference, it adds zero overhead to the coding session.

The second stage triggers after Claude Code itself generates or modifies code, checking whether the AI's own output introduced a vulnerability. The third stage fires when Claude commits or pushes via its Bash tool, invoking a deeper agentic review powered by Claude Opus 4.7 that reads surrounding callers, sanitizers, and related files to reduce false positives.

"Across our internal rollout and benchmarks, we've seen a 30–40% decrease in security-related comments on PRs opened using the plugin," Anthropic said. "The plugin serves as a lightweight first pass, catching issues before a full code review."

Free for All Users, No Extra API Spend for Fast Checks

The plugin is available at no cost to every Claude Code user on every plan — Free through Enterprise. The fast regex layer at file-edit time does not consume Claude usage credits at all. Deeper end-of-turn and commit-time reviews draw from the same usage budget as standard requests, using Claude Opus 4.7 by default. Developers can override the model via the SECURITY_REVIEW_MODEL and SG_AGENTIC_MODEL environment variables.

The minimum requirements are Claude Code version 2.1.144 or later and Python 3.8 or newer.

The Security Guidance plugin is a different product from Claude Code Security, Anthropic's enterprise-grade codebase scanning service that launched as a limited research preview in February 2026 and expanded to a public beta for Enterprise customers in late April. That product uses full AI reasoning to scan entire repositories and surface logic-level flaws. The Security Guidance plugin is the always-on, lightweight companion for individual coding sessions — the first line of defense, not a replacement for deeper audits.

Part of a Broader Security Push

The plugin fits inside Anthropic's Project Glasswing initiative — a cross-industry effort involving AWS, Apple, Google, Microsoft, and others to secure critical software. An open-source reference implementation at anthropics/claude-code-security-review on GitHub accompanies the release, demonstrating agents autonomously hunting and patching issues including SQL injection, XSS, remote code execution via deserialization, insecure direct object references, and hardcoded credential detection.

Also this week, Anthropic put self-hosted sandboxes for Claude Managed Agents into public beta, allowing teams to keep tool execution entirely within their own infrastructure while the agent orchestration loop stays on Anthropic's servers. The pairing gives security-conscious teams a path to running Claude Code agents on sensitive codebases without files or repositories ever leaving their perimeter.

Developer Takeaway

For developers shipping production code with Claude Code, the Security Guidance plugin is the lowest-friction security upgrade available right now. Install it once via /plugins and it becomes a permanent background layer on every session going forward. The 157,000 downloads in the first 24 hours reflect how clearly the community recognized the value: AI coding assistants are generating and committing code fast enough that the security tooling around them needs to keep pace.

Share:

Other Latest News

OpenAI Releases GPT-5.6 and GPT-Live to All Users Today
News & Updates, AI Agents, Voice

OpenAI Releases GPT-5.6 and GPT-Live to All Users Today

OpenAI publicly launches its most powerful model family — Sol, Terra, and Luna — today alongside GPT-Live, a new full-duplex voice architecture that replaces Advanced Voice Mode across all ChatGPT tiers.

Jul 9, 2026
Cursor and SpaceXAI Release Grok 4.5, Their First Joint Model
News & Updates, Code Editors

Cursor and SpaceXAI Release Grok 4.5, Their First Joint Model

SpaceXAI and Cursor have jointly launched Grok 4.5, a 1.5-trillion-parameter coding model available now across all Cursor plans at $2/$6 per million tokens — weeks before their $60B acquisition deal closes.

Jul 9, 2026
Anthropic Adds Model Controls and Spend Alerts to Claude Enterprise
AI Agents, News & Updates

Anthropic Adds Model Controls and Spend Alerts to Claude Enterprise

Anthropic's new Claude Enterprise admin controls give platform admins per-user cost breakdowns, model-level entitlements, and real-time spend-threshold alerts — targeting the budget blowouts that have quietly burned enterprise AI teams in 2026.

Jul 6, 2026
Gemini Spark Comes to Mac With Local File Access and MCP Support
AI Agents, News & Updates

Gemini Spark Comes to Mac With Local File Access and MCP Support

Google has added Gemini Spark to the Gemini desktop app for macOS, giving it access to local files, MCP server connections, real-time topic tracking, and new integrations with Canva, Dropbox, and more.

Jul 3, 2026
Google Drops ADK 2.0 and Genkit Agents for AI App Builders
AI Agents, News & Updates

Google Drops ADK 2.0 and Genkit Agents for AI App Builders

Google published three developer-facing launches in 24 hours: ADK 2.0's graph-based workflow runtime, the Genkit Agents API for full-stack conversational AI, and a Google Cloud Workbench VS Code extension — a coordinated push to own the agent-development stack.

Jul 3, 2026
Fable 5 Returns Globally as US Lifts Export Controls on Anthropic
News & Updates, AI Agents, Security

Fable 5 Returns Globally as US Lifts Export Controls on Anthropic

Anthropic restored global access to Claude Fable 5 on July 1 after the US Commerce Department lifted the 19-day export controls. Claude Code and Claude.ai users get the model back with a new 99%+ jailbreak classifier and an industry-wide safety framework now in development.

Jul 2, 2026
← Scroll for more →