Language: 日本語English

security-guidance Plugin

Author
Anthropic
Category
Security
Topics
Security, Auth & Compliance · Claude Code Customization & Workflow · Code Quality, Review & Testing
Version
2.0.6
First seen
2026-07-09
Last confirmed
2026-07-13
Explanation last updated
2026-07-12

The explanation below is AI-generated. Please verify it against the sources.

security-guidance is a Claude Code plugin that reviews Claude-generated code for security issues across three layers: instant regex-based pattern warnings on Edit/Write, an LLM-powered diff review that runs when Claude finishes a turn, and an agentic commit reviewer that traces data flow across files on git commit. According to the README, it flags common vulnerability classes such as injection, XSS, SSRF, hardcoded secrets, IDOR, auth bypass, unsafe deserialization, and path traversal. It is installed via '/plugin install security-guidance@claude-plugins-official' and is enabled by default in the marketplace, requiring only the Claude Code CLI (≥ v2.1.144) and Python 3.8+. The README explicitly states this is a best-effort assistive tool, not a substitute for human code review, SAST/DAST, dependency scanning, or pen-testing, and no warranty is provided.

Overview

According to the README, security-guidance is a Claude Code plugin (not a standalone SaaS) that adds automated security review to the coding workflow via pattern matching, an LLM-based diff review call, and an SDK-driven agentic commit reviewer.

What you can do with security-guidance

  • Get instant regex-based warnings on Edit/Write for ~25 known-dangerous patterns (e.g., yaml.load, torch.load(weights_only=False), pickle.load on untrusted data, raw innerHTML, hardcoded secrets)
  • Receive an LLM diff review (Opus 4.7 by default) when Claude finishes a turn, with high-severity findings fed back to Claude before the response is shown
  • Run an agentic commit reviewer on git commit that reads related files (Read/Grep/Glob) to catch multi-file issues like IDOR, auth bypass, and cross-file SSRF
  • Configure model selection (SECURITY_REVIEW_MODEL, SG_AGENTIC_MODEL) and enable/disable individual layers via environment variables
  • Enable a higher-recall dual-review mode (SG_DUAL_OR) at roughly 2x API cost
  • Add org- or project-specific rules via a claude-security-guidance.md file (user, project, and local variants)
  • Review privacy handling: diffs and file contents are sent to a model endpoint (api.anthropic.com by default, or a configured gateway/3P provider), and a local debug log is kept at ~/.claude/security/log.txt without full file contents or prompts
  • Silence specific findings with inline code comments explaining why a line is safe

Sources

Original description (English)

Security review for Claude-generated code. Pattern-based warnings on edits, LLM-powered diff review on Stop, and an agentic commit reviewer that catches injection, XSS, SSRF, hardcoded secrets, and 25+ other vulnerability classes.

History of security-guidance

Back to list