Claude Code Security Reviewer

Overview

Claude Code Security Reviewer is an open-source GitHub Action maintained by Anthropic that uses Claude (Claude Code) to perform AI-powered security reviews of code changes. Instead of relying solely on pattern matching, it leverages Claude's semantic reasoning to understand the intent and context of code changes, produce actionable findings, and post review comments directly on pull requests.

Key Features

• AI-Powered Analysis: Uses Claude's deep semantic reasoning to identify security vulnerabilities beyond simple regex or signature-based detection.
• Diff-Aware Scanning: For pull requests, the action focuses on changed files (diffs) so reviews are targeted and efficient.
• PR Comments: Findings are posted as review comments on the specific lines of code to make remediation straightforward for contributors.
• Language-Agnostic: Works with any programming language since it reasons over semantics rather than language-specific patterns.
• False Positive Filtering: Includes logic to reduce noise by filtering out low-impact or common false positives, configurable by the repository.
• Configurable Outputs: Optionally uploads results as artifacts and exposes summary outputs like findings count and results file path.

How It Works

1. The action runs on pull_request (or any configured trigger) and checks out the repository with a small fetch depth.
2. It extracts the diff and relevant context around changed files and constructs prompts for Claude Code to analyze security implications.
3. Claude produces structured findings (severity, explanation, remediation guidance), which are then post-processed by the action's false-positive filtering logic.
4. Final findings are posted as PR review comments and/or saved as artifacts; outputs such as findings-count and results-file are provided for downstream steps.

Configuration & Quick Start

Add the provided workflow snippet to your repository's .github/workflows/security.yml and supply a Claude API key via secrets:

- uses: anthropics/claude-code-security-review@main
  with:
    comment-pr: true
    claude-api-key: ${{ secrets.CLAUDE_API_KEY }}

Inputs include claude-api-key (required), comment-pr, upload-results, exclude-directories, claude-model (defaults to an Opus release), claudecode-timeout, and custom false-positive filtering or scan instruction files.

Architecture

The repository organizes runtime and tooling components into modules such as:

• github_action_audit.py — main script used by the GitHub Action
• prompts.py — templates for security audit prompts
• findings_filter.py — logic for reducing false positives
• claude_api_client.py — wrapper for calling Claude for filtering and analysis
• json_parser.py — robust parsing utilities
• evals/ — tooling to evaluate the scanner on example PRs

Security Considerations & Limitations

• Prompt Injection Risk: The action's prompts are not hardened against prompt-injection attacks; running it on untrusted forks/workflows can be risky. The README recommends enabling repository protections such as "Require approval for all external contributors."
• Not a Complete Replacement: While the AI reduces false positives and provides contextual findings, it should complement — not fully replace — traditional SAST, dependency scanning, and human review for high-risk code.
• Timeout & Cost: Running Claude-based analyses has time and cost considerations; the action exposes timeouts and model selection to help manage this.

Benefits Over Traditional SAST

• Contextual reasoning reduces irrelevant alerts and provides clearer remediation steps.
• Targeted diff analysis reduces noise and focuses on recent changes.
• Configurability lets teams tune false-positive filtering to their security posture.

Usage Scenarios

• Integrate into CI to automatically surface security issues during code review.
• Use locally (repo eval tools) to test the scanner against historical PRs.
• Combine with organizational policies to gate merges for higher-risk changes.

Where to Find More Info

Anthropic provides a short blog post describing the integration and goals of Claude Code security automation; the repository itself includes README instructions, configuration docs, and a test suite to validate behavior.