Overview
Anthropic has announced automated security reviews for Claude Code, delivered through a new /security-review terminal command and a GitHub Action. The release is framed around integrating security checks into existing development workflows. According to the post, both features are available now for Claude Code users. No pricing information was provided. The announcement was published on August 6, 2025 at https://www.anthropic.com/news/automate-security-reviews-with-claude-code.
Terminal-based reviews with /security-review
The /security-review command enables ad-hoc analyses from the terminal prior to committing code. When invoked in a project directory, Claude Code scans the codebase for potential vulnerabilities and returns explanations of issues it finds.
Anthropic states the command uses a security-focused prompt to check for common vulnerability patterns, including SQL injection, XSS, authentication and authorization flaws, insecure data handling, and dependency vulnerabilities. After surfacing issues, Claude Code can be asked to implement fixes for each finding. The intent is to keep security checks in the inner development loop so issues are addressed earlier in the process.
Documentation for customizing the command is available at:
Automated PR checks with a GitHub Action
A new GitHub Action extends the same approach to pull requests. When configured, it runs automatically on newly opened PRs, reviews code changes for security risks, and posts inline comments with concerns and recommendations. The action supports customizable rules intended to reduce false positives and filter known issues. Anthropic notes it integrates with existing CI/CD pipelines and can be tailored to team security policies.
Installation and configuration details are provided at:
Early use within Anthropic
Anthropic reports internal adoption of these features across its engineering teams, including on Claude Code itself. The post cites two examples:
- A feature for an internal tool started a local HTTP server intended for local connections. The GitHub Action flagged a remote code execution risk exploitable via DNS rebinding, which was addressed before the PR merged.
- A proxy for managing internal credentials was automatically flagged for SSRF exposure, which was subsequently fixed.
The company characterizes these cases as instances where the automated checks identified issues prior to release.
Getting started and availability
Anthropic says both features are available now to all Claude Code users:
- For the terminal command: update to the latest version of Claude Code and run /security-review in the project directory. Customization details are in the command documentation.
- For the GitHub Action: follow the setup and configuration steps in the repository’s README.
No pricing changes or tiers were mentioned. The announcement was published August 6, 2025.
TL;DR
- New in Claude Code: /security-review command for terminal-based scans and a GitHub Action for PR reviews
- Checks for patterns such as SQL injection, XSS, auth issues, insecure data handling, and dependency risks
- PR action posts inline comments, supports customizable rules, and integrates with CI/CD
- Anthropic cites internal detections including DNS rebinding leading to RCE and SSRF
- Available now; documentation: https://github.com/anthropics/claude-code-security-review
- Price: not disclosed
