On August 6, 2025 Anthropic launched a feature to automate security reviews inside Claude Code: now you can ask the assistant to look for vulnerabilities from your terminal and also integrate it into GitHub Actions to scan every pull request. Sounds like magic? It's really a practical layer to catch issues before they reach production. (anthropic.com)
What this update brings
The main addition is the /security-review command, which you can run in your project directory for Claude to analyze your code for common risks (SQL injection, XSS, authentication flaws, unsafe data handling, and vulnerable dependencies). And it doesn't just point out problems: when you allow it, the assistant can suggest or even apply fixes. (anthropic.com)
Another important piece is the GitHub Action for Claude Code. Once set up, the action triggers on every new pull request, analyzes the changes, applies customizable rules to reduce false positives, and leaves inline comments on the PR with findings and clear recommendations. That turns a one-off security check into an automated, repeatable process. (anthropic.com)
How it fits into your workflow
Think of two everyday moments in development: before you commit and when you open a pull request. In the first case you run /security-review from the terminal for a quick check. In the second, the GitHub Action joins your CI/CD pipeline and automatically reviews each PR, informing the team where it matters.
This approach keeps security in the developer inner loop: you spot and fix issues while they're still small and cheap to resolve. (anthropic.com)
Real examples (yes, it happened at Anthropic)
Anthropic says that using the action internally they already found real vulnerabilities before merging code. One case was a remote code execution risk via DNS rebinding on a local HTTP server; another was an SSRF issue in a credential-management proxy. These are concrete examples of how automated review prevents costly mistakes. (anthropic.com)
Automating doesn't mean trusting blindly: it means integrating constant checks that alert you and let you decide. The tool suggests, you choose.
How to get started today
- Update Claude Code to the latest version and run
/security-reviewin your project for ad-hoc checks. (anthropic.com) - Install the GitHub Action so it automatically reviews pull requests and configure it according to your team's rules (filters for false positives, exclusions, etc.). (anthropic.com)
- Check the documentation and examples in the official announcement for detailed steps and customization options: Anthropic announcement. (anthropic.com)
What this changes for you
If you're a developer or responsible for infrastructure, it reduces the manual work of reviewing PRs and puts a proactive barrier against common vulnerabilities. If you work in a small team, it's a way to bring security best practices without hiring a dedicated team.
It's not a silver bullet against bugs or insecure design, but it is a tool that embeds security reviews into your daily development rhythm: fewer surprises, more control.
Closing reflection
Security is no longer just the auditor's task at the end of the cycle: with /security-review and the GitHub Action, it becomes an integrated responsibility you can automate. Isn't that exactly what modern development needs? If you want, I can help translate these steps into a practical checklist for your repository.