Anthropic released two new security features for Claude Code on August 6 that let developers check for vulnerabilities before code reaches production. The update includes a command-line tool for ad-hoc security reviews and a GitHub Actions integration that automatically scans pull requests.

The additions come as development teams face pressure to ship faster while maintaining code security. These tools aim to catch security issues earlier in the development process, when they’re simpler to fix.

Running Security Checks from the Terminal

The new /security-review command runs security analyses directly from your terminal. Developers can use it before committing code to check for potential vulnerabilities.

When you run the command, Claude scans your codebase and provides explanations for any security concerns it finds. The tool looks for common vulnerability patterns, including SQL injection, cross-site scripting (XSS), authentication and authorization flaws, insecure data handling, and dependency vulnerabilities.

After identifying issues, you can ask Claude Code to implement fixes. This approach keeps security reviews in the inner development loop rather than waiting for formal code reviews or production incidents.

Automated Pull Request Reviews

The GitHub Actions integration takes the security review process further by automatically analyzing every pull request when it opens. The action triggers on new PRs, reviews code changes for vulnerabilities, applies customizable rules to filter out false positives and known issues, and posts inline comments with concerns and recommended fixes.

This establishes a consistent baseline for security reviews across the team. The action integrates with existing CI/CD pipelines and can be customized to match your team’s security policies.

Real-World Results at Anthropic

Anthropic has been using these features internally to secure code before it ships to production. The company reports that the GitHub action has already caught vulnerabilities in its own codebase, including Claude Code itself.

One recent example involved a new feature for an internal tool that started a local HTTP server for local connections. The GitHub action identified a remote code execution vulnerability that can be exploited via DNS rebinding. The team fixed it before merging the PR.

In another case, an engineer built a proxy system for secure credential management. The action flagged that the proxy was vulnerable to SSRF (Server-Side Request Forgery) attacks, and the team addressed the issue immediately.

“Anthropic may not be first to add automated security review to an AI coding workflow, but that framing misses the point. What matters is how tightly security has been pulled into the agentic development loop. By running security analysis from the terminal and enforcing it on every pull request, Claude Code treats vulnerability detection as part of code generation itself. In practice, this opens the door to agents reviewing, and in some cases correcting, code before a developer ever sees or commits it,” according to Mitch Ashely, VP and practice lead, software lifecycle engineering, The Futurum Group.

“This is an important signal for where AI-native development is heading. As agents take on more responsibility for producing and modifying code, security cannot remain a downstream checkpoint. It has to be embedded into the same control loop that plans, writes, and iterates on software.”

How Teams Can Use This

The features work best when integrated into existing development workflows. Teams can use the terminal command for quick checks during active development, while the GitHub action provides a safety net for all code before it merges.

The customizable filtering rules help reduce alert fatigue by letting teams define which issues matter most for their specific context. This matters for development teams that need to balance security with velocity.

Both features are now available to all Claude Code users. The /security-review command requires updating Claude Code to the latest version and can be customized through the documentation. The GitHub action setup includes step-by-step instructions for installation and configuration.

What This Means for DevOps Teams

Automated security reviews address a persistent challenge in modern development: catching security issues without slowing down delivery. Traditional security reviews often happen late in the development cycle, when fixes are more expensive and disruptive.

By moving security checks earlier—into the terminal and the pull request process—teams can maintain velocity while reducing the risk of shipping vulnerabilities. The approach fits with the broader shift toward “shifting left” on security, where security concerns are addressed earlier in the development lifecycle.

The real test will be how well these tools perform across different codebases and development environments. Anthropic’s own use cases demonstrate the system can catch real vulnerabilities, but adoption will depend on accuracy, false-positive rates, and how well the tools integrate with existing security processes.

For teams already using Claude Code, the new features represent a straightforward way to add security checks without changing workflows. For others, it’s another data point in the ongoing evolution of AI-assisted development tools.