Generative artificial intelligence startup Anthropic PBC today introduced the ability for Claude Code to automate software security reviews, identifying and fixing potential vulnerabilities and weaknesses in code.

As code becomes more complex and software engineers embrace “vibe coding,” which uses AI as part of the development process, the number of security issues in code has increased. According to Verizon’s 2025 Data Breach Investigations Report, there has been a 34% increase in attackers exploiting vulnerabilities to gain initial access compared with last year’s report.

Developers are increasingly using AI to speed up their workflows and create more complex systems, resulting in a surge of code generation. Security reviews are essential to this process; they involve thoroughly examining the code to ensure it functions correctly with unit tests and does not contain exploits or known vulnerabilities that attackers could potentially exploit.

Claude Code is a command-line tool offered by Anthropic that lives in the terminal powered by the company’s AI models, which allows developers to automate coding tasks and interact with codebases using natural language. Using GitHub Actions, developers can now easily ask Claude to identify security concerns and then have it fix them.

After writing code, a developer can type “/security-review” and Clade Code will begin an ad-hoc security analysis before committing the code. The company’s AI model will search the codebase for potential vulnerabilities and provide a detailed explanation of issues it discovers.

“This command uses a specialized security-focused prompt that checks for common vulnerability patterns,” the company said.

The types of potential exploits Claude can uncover include SQL injection risks, cross-site scripting attacks, authentication and authorization flaws, insecure data handling and dependency vulnerabilities. The developer can also ask Clade Code to implement fixes for each issue after they’re identified.Anthropic said that keeps security reviews in the inner development loop, catching issues early when they’re easier to fix.

Going a step further, Claude Code can be initiated automatically when code is moved from development to testing. The AI model scans the code, works to filter out false positives, and posts its comments into tickets about any security concerns it finds, including recommendations and fixes.

That way, the development team can review the potential issues and recommendations and follow up. According to Anthropic, this ensures that no code reaches production without at least an automated security review happening. It also integrates easily into automated DevOps continuous integration and continuous deployment pipelines.

The system can be tailored to align with the team’s security policies and best practices. This customization enables the company to modify its sensitivity, behavior, and collaboration with developers during workflow integration.

Other major tech companies have also released their own code agents and assistants, including Google LLC’s Code Assist, Amazon.com Inc.’s Q Developer and Microsoft Corp.’s AI-powered code review assistant, which can scan code bases for vulnerabilities at scale and suggest fixes. Many of these systems similarly connect to GitHub, allowing developers to flag potential bugs, improve their code and free up human reviewers to focus on architectural problems.

Anthropic added that the company is using the new security review functionality itself to secure code the team ships to production, including for Claude Code itself. For example, last week Anthropic said, its team built a new feature for an internal tool that relied on starting a local HTTP server meant to accept local connections. The GitHub action identified a remote code execution vulnerability exploitable through DNS rebinding and it was fixed before the [code] was merged.

Images: Anthropic