Claude Code Security Reviewer
An AI-powered security review GitHub Action using Claude to analyze code changes for security vulnerabilities. This action provides intelligent, context-aware security analysis for pull requests using Anthropic's Claude Code tool for deep semantic security analysis. See our blog post here for more details.
Features
- AI-Powered Analysis: Uses Claude's advanced reasoning to detect security vulnerabilities with deep semantic understanding
- Diff-Aware Scanning: For PRs, only analyzes changed files
- PR Comments: Automatically comments on PRs with security findings
- Contextual Understanding: Goes beyond pattern matching to understand code semantics
- Language Agnostic: Works with any programming language
- False Positive Filtering: Advanced filtering to reduce noise and focus on real vulnerabilities
Quick Start
Add this to your repository's .github/workflows/security.yml:
name: Security Review
permissions:
pull-requests: write # Needed for leaving PR comments
contents: read
on:
pull_request:
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 2
- uses: anthropics/claude-code-security-review@main
with:
comment-pr: true
claude-api-key: ${{ secrets.CLAUDE_API_KEY }}
Security Considerations
This action is not hardened against prompt injection attacks and should only be used to review trusted PRs. We recommend configuring your repository to use the "Require approval for all external contributors" option to ensure workflows only run after a maintainer has reviewed the PR.
Configuration Options
Action Inputs
| Input | Description | Default | Required |
|---|
claude-api-key | Anthropic Claude API key for security analysis.
Note: This API key needs to be enabled for both the Claude API and Claude Code usage. | None | Yes |
comment-pr | Whether to comment on PRs with findings | true | No |
upload-results | Whether to upload results as artifacts | true | No |
exclude-directories | Comma-separated list of directories to exclude from scanning | None | No |
claude-model | Claude model name to use. Defaults to Opus 4.1. | claude-opus-4-1-20250805 | No |
claudecode-timeout | Timeout for ClaudeCode analysis in minutes | 20 | No |
run-every-commit | Run ClaudeCode on every commit (skips cache check). Warning: May increase false positives on PRs with many commits. | false | No |
false-positive-filtering-instructions | Path to custom false positive filtering instructions text file | None | No |
custom-security-scan-instructions | Path to custom security scan instructions text file to append to audit prompt | None | No |
Action Outputs
| Output | Description |
|---|
findings-count | Total number of security findings |
results-file | Path to the results JSON file |
How It Works
Architecture
claudecode/
├── github_action_audit.py # Main audit script for GitHub Actions
├── prompts.py # Security audit prompt templates
├── findings_filter.py # False positive filtering logic
├── claude_api_client.py # Claude API client for false positive filtering
├── json_parser.py # Robust JSON parsing utilities
├── requirements.txt # Python dependencies
├── test_*.py # Test suites
└── evals/ # Eval tooling to test CC on arbitrary PRs
Workflow
- PR Analysis: When a pull request is opened, Claude analyzes the diff to understand what changed
- Contextual Review: Claude examines the code changes in context, understanding the purpose and potential security implications
- Finding Generation: Security issues are identified with detailed explanations, severity ratings, and remediation guidance
- False Positive Filtering: Advanced filtering removes low-impact or false positive prone findings to reduce noise
- PR Comments: Findings are posted as review comments on the specific lines of code
Security Analysis Capabilities
Types of Vulnerabilities Detected