Claude Code ships a security-guidance plugin for in-session vulnerability checks
Anthropic shipped an official security-guidance plugin for Claude Code. It runs automatic vulnerability checks while Claude edits files, at the end of each turn, and when Claude runs commits or pushes through its Bash tool.
Anthropic shipped an official security-guidance plugin for Claude Code, designed to catch common vulnerabilities while Claude is writing and editing code, and to help fix issues in the same session. Source: ClaudeDevs announcement.
What’s new
Once installed, the plugin runs automatically and reviews Claude’s changes at multiple points (lightweight checks on every edit, plus deeper reviews at end-of-turn and on Claude-run commits/pushes). Source: Claude Code security guidance docs.
The goal is to surface issues like injection risks, unsafe deserialization, and unsafe DOM APIs before they make it into a pull request. Source: Claude Code security guidance docs.
How to install
In a Claude Code session, install the plugin from Anthropic’s official marketplace:
/plugin install security-guidance@claude-plugins-official
Then activate it in the current session:
/reload-plugins
Source: Claude Code security guidance docs.
Requirements and notes
- Claude Code CLI 2.1.144 or later
- Python 3.8+ on your
PATH - A git repository in the directory you’re working in (some reviews rely on diffs against git state)
Source: Claude Code security guidance docs.
The docs also note that on first run the plugin creates a virtual environment under ~/.claude/security/ and installs the Claude Agent SDK into it, which requires pip and network access. Source: Claude Code security guidance docs.
When to use it
If you’re already letting Claude Code make multi-file edits or run refactors, this plugin is a low-friction way to add security review earlier in the workflow — before PR review, CI scanning, or human security review. Source: Claude Code security guidance docs.
Read next
Keep building the workspace playbookClaude Code 2.1.142: `claude agents` Gains Session Flags, Fast Mode Defaults to Opus 4.7, MCP Tool Timeout Honored
Anthropic shipped Claude Code 2.1.142 on May 14, 2026. The release adds eight session-configuration flags to `claude agents` (`--add-dir`, `--settings`, `--mcp-config`, `--plugin-dir`, `--permission-mode`, `--model`, `--effort`, `--dangerously-skip-permissions`), flips fast mode's default model from Opus 4.6 to Opus 4.7, and fixes `MCP_TOOL_TIMEOUT` not raising the per-request fetch timeout for remote HTTP/SSE MCP servers -- a regression that capped tool calls at 60 seconds regardless of configuration.
Claude Opus 4.7 Is Here: State-of-the-Art Coding, xhigh Effort, and a New Cyber Safeguards Tier
Anthropic launched Claude Opus 4.7 on April 16, 2026 -- a notable improvement on Opus 4.6 in advanced software engineering, with the same pricing, a new xhigh effort level, /ultrareview in Claude Code, higher-resolution vision, and the first deployment of cyber safeguards from the Mythos Preview track.
Claude Code Routines: Schedule, API, and GitHub-Trigger Your AI Agents
Claude Code Routines is Anthropic's new way to run saved Claude Code configurations automatically -- by schedule, API call, or GitHub event. Routines run on Anthropic's cloud infrastructure with a prompt, repo, and MCP connectors. Available in research preview on Pro, Max, Team, and Enterprise plans.
Frequently Asked Questions
What is the Claude Code security-guidance plugin?
Security guidance is an official Claude Code plugin that reviews Claude’s code changes for common vulnerabilities and prompts Claude to fix issues in the same session.
How do you install the security-guidance plugin in Claude Code?
From a Claude Code session, run `/plugin install security-guidance@claude-plugins-official`, then run `/reload-plugins` to apply the plugin in the current session.
What are the prerequisites for the security-guidance plugin?
Anthropic’s docs list Claude Code CLI 2.1.144+, Python 3.8+ on your PATH, and working inside a git repository (some review layers diff against git state).