Claude Code Security-Guidance Plugin: AI-Powered Vulnerability Detection with 30-40% Reduction in PR Security Issues
Anthropic launched the security-guidance plugin for Claude Code in May 2026, catching vulnerabilities across three review levels—file edits, model turns, and commits. Available for all Claude Code users via /plugins, it runs via hooks and enforces org-specific rules through claude-security-guidance.md files.
On May 27, 2026, Anthropic announced the security-guidance plugin for Claude Code—an AI-powered code review tool that catches security vulnerabilities before they reach production. The plugin reviews code across three distinct levels: on file edits, after model turns, and on commits, providing comprehensive security coverage throughout the development workflow.
Available for all Claude Code users through the plugin marketplace (/plugins), the security-guidance plugin represents a significant step forward in automated security review. According to Anthropic's internal data, teams using the plugin have seen a 30-40% reduction in security-related PR comments, demonstrating its effectiveness as a lightweight first pass before human review.
This article breaks down how the security-guidance plugin works, the three review levels it operates on, how to customize it with org-specific rules, and where it fits in your security workflow.
What the security-guidance plugin does
The security-guidance plugin is designed to identify security vulnerabilities automatically as you write code, providing immediate feedback on potential issues before they make it into pull requests or production.
Unlike traditional static analysis tools that run at specific checkpoints, the security-guidance plugin operates continuously throughout your development workflow, catching issues at three critical moments:
On file edits — Looks for risky patterns like commonly misused dangerous libraries
After model turns — Reviews the full diff for harder-to-spot security issues
On commits — Reads surrounding code to validate vulnerabilities in context
This multi-level approach ensures that security issues are caught early and validated thoroughly, reducing false positives while maintaining high detection rates.
When you edit a file in Claude Code, the security-guidance plugin immediately scans for risky patterns and dangerous libraries. This level focuses on catching obvious security anti-patterns:
Use of dangerous or deprecated libraries known for security issues
Common security mistakes like hardcoded credentials
Risky API patterns that often lead to vulnerabilities
Known vulnerable code patterns from CVE databases
The file-edit review runs in near real-time, providing instant feedback as you code. This is the fastest and lightest review level, designed to catch low-hanging fruit before you've invested significant time in a particular approach.
Level 2: Model turn review
After Claude Code completes a response or makes changes, the security-guidance plugin performs a comprehensive diff review. This level examines the full context of changes:
Cross-file security implications
Subtle vulnerabilities that emerge from code interactions
Authentication and authorization flow issues
Data validation and sanitization gaps
Race conditions and timing vulnerabilities
The model turn review is more computationally intensive than file-edit review but provides deeper analysis by understanding how different parts of your codebase interact. This level catches issues that might not be obvious when looking at individual file changes in isolation.
Level 3: Commit review
Before you commit code, the security-guidance plugin performs its most thorough review, reading surrounding code to validate potential vulnerabilities in full context:
Validates whether flagged issues are actual vulnerabilities or false positives
Examines how new code integrates with existing security controls
Checks for bypass possibilities in authentication/authorization
Verifies that security assumptions hold across the codebase
Provides detailed remediation guidance
The commit review level has access to the broadest context and performs verification steps to ensure that reported findings are genuine security issues rather than style suggestions or theoretical concerns.
Installation and setup
Installing the security-guidance plugin is straightforward:
Open Claude Code (CLI or Desktop)
Run/plugins to access the plugin marketplace
Find the security-guidance plugin
Install with one click
The plugin is available for all Claude Code users—no special subscription tier required. After installation, it runs automatically via Claude Code's hook system, requiring no additional configuration for basic operation.
To verify the plugin is active, check your hooks configuration or look for security guidance in your next code review.
Customizing with org-specific rules
One of the most powerful features of the security-guidance plugin is organization-specific customization. You can enforce your team's security policies alongside the built-in checks by creating a claude-security-guidance.md file.
Creating a claude-security-guidance.md file
The claude-security-guidance.md file allows you to define custom security rules, coding standards, and prohibited patterns specific to your organization:
markdown
# Security Guidance for [Your Organization]## Prohibited Libraries- Never use `eval()` or `Function()` constructor
- Avoid deprecated crypto libraries (md5, sha1 for passwords)
## Authentication Requirements- All API endpoints must use OAuth 2.0 or JWT
- Session tokens must be HttpOnly and Secure
## Data Validation- All user input must be validated with Zod schemas
- SQL queries must use parameterized statements only
## Secret Management- Never commit .env files
- Use AWS Secrets Manager for production secrets
Distribution options
You can distribute your claude-security-guidance.md file in two ways:
Repository-level — Place the file in your repository root; the plugin will automatically detect and enforce it
Organization-level — Distribute via Mobile Device Management (MDM) or configuration management to enforce consistent rules across all repositories
The plugin merges your custom rules with built-in security checks, providing comprehensive coverage tailored to your organization's security posture.
Performance impact and results
According to Anthropic's announcement, the security-guidance plugin has been tested extensively in internal production environments:
30-40% reduction in security-related PR comments
Serves as a lightweight first pass before human review
Catches issues that would otherwise reach code review
Reduces back-and-forth in pull requests
The plugin is designed to be fast and non-intrusive, running in the background without slowing down your development workflow. The three-level review system ensures that you get feedback at the right time—immediate for obvious issues, thorough for subtle problems.
How hooks enable the plugin
The security-guidance plugin operates through Claude Code's hook system, which allows plugins to intercept and respond to events like file edits, model responses, and commits.
Hooks provide several advantages:
Automatic execution — No manual invocation required
Context awareness — Hooks see the full context of changes
Flexible configuration — Users can enable/disable specific hook points
Plugin ecosystem — Standardized interface for all security plugins
If you encounter issues or want to adjust plugin behavior, you can modify hook settings in your Claude Code configuration.
Comparison with other security tools
The security-guidance plugin complements rather than replaces traditional security tools:
Tool type
Timing
Scope
Best for
Security-guidance plugin
During development
Full context + AI reasoning
Early detection, developer education
Static analysis (ESLint, Bandit)
Pre-commit, CI
Pattern matching
Known vulnerabilities, code style
Dynamic analysis (OWASP ZAP)
Testing phase
Runtime behavior
Integration vulnerabilities
Human review
PR stage
Business logic, threat modeling
Complex security decisions
The plugin excels at catching issues during active development, when fixes are cheapest and easiest. It works alongside static analysis tools, providing AI-powered reasoning that goes beyond pattern matching.
When to use the security-guidance plugin
The security-guidance plugin is particularly valuable in these scenarios:
explainx.ai perspective: security as a development workflow
At explainx.ai, we teach AI agent development, MCP integration, and security best practices. The security-guidance plugin represents a shift we've been advocating: security as a natural part of the development workflow, not a gate at the end.
Key principles:
Early detection — Fix issues when they're easiest to address
Developer education — Learn secure patterns as you code
Customizable enforcement — Align tools with your security posture
Layered defense — Combine automated tools with human expertise
The 30-40% reduction in security PR comments is significant, but the real value is cultural: teams that get immediate security feedback develop better instincts over time.