Most security tooling waits until code is finished before it complains. Static analysis fires in CI, dependency scanners run on a schedule, and a human reviewer eventually flags the SQL string you built with string concatenation. By then the vulnerable code is already written, committed, and sitting in a pull request. Anthropic's new security-guidance plugin for Claude Code moves that check all the way to the left, into the moment the code is being written, and has Claude fix what it finds before you ever see a PR.
The plugin shipped during the week of May 25-29, 2026, alongside Claude Opus 4.8 (released May 28). It is a free, official Anthropic plugin that makes Claude review its own changes for common vulnerabilities and remediate them in the same session. There is nothing to invoke once it is installed; it runs automatically on every edit, turn, and commit.
What it actually does
The plugin reviews Claude's work at three points, each at a different depth. This layering is the whole design: cheap checks run constantly, expensive checks run rarely.
| Layer | When it runs | How deep | Cost |
|---|---|---|---|
| Per-edit pattern check | After every file write | Deterministic string/regex match, no model call | Free |
| End-of-turn review | After each turn Claude completes | Background model review of the turn's full git diff | Model usage |
| Commit/push review | When Claude runs git commit or git push | Agentic review that reads surrounding code | Model usage |
The per-edit check is a fast pattern match for risky calls. It flags things like eval(, new Function, os.system, child_process.exec, pickle, dangerouslySetInnerHTML, .innerHTML =, and edits under .github/workflows/ (which can quietly grant repository-level permissions). Because it is a plain string match with no model involved, it adds no usage cost and works even outside a git repo.
The end-of-turn review computes a git diff of everything that changed during the turn, including edits, Bash commands, and subagent work, then hands it to a separate Claude review focused on security. This catches what a string match cannot: authorization bypass, insecure direct object references, injection, server-side request forgery, and weak cryptography. It runs in the background so your reply is not delayed, covers up to 30 changed files per turn, and re-prompts Claude with any findings to fix as a follow-up.
The commit/push review is the deepest layer. When Claude commits or pushes through its Bash tool, an agentic reviewer reads callers, sanitizers, and related files to decide whether a finding is real before reporting it. That extra context is what keeps false positives down on patterns that look dangerous in isolation but are safe in your codebase. It is capped at 20 reviews per rolling hour.
Importantly, the reviewer is never the same Claude instance that wrote the code. The model-backed layers run as a separate call with fresh context and a security-focused prompt, so the reviewer starts from the diff with no investment in the original approach. None of the layers block writes or commits; findings reach the writing Claude as instructions to fix.
Why it matters for an MSP
The headline number from Anthropic's internal rollout: a 30-40% decrease in security-related comments on pull requests. That is the shift-left thesis made concrete. Every vulnerability caught in the editor is one that never consumes a reviewer's attention, never blocks a merge, and never ships.
For teams that already treat AI-generated code with appropriate suspicion (see our take on AI coding best practices), this is a useful counterweight. The same model that can introduce a subtle injection bug at speed now gets a second, adversarial pass at catching it. It pairs naturally with dynamic workflows, where Claude is making sweeping changes across many files and a per-turn security review keeps the blast radius honest.
Just be clear about what it is not. Anthropic explicitly frames the plugin as one layer in defense in depth, not a replacement for SAST. Here is how it slots into a real stack:
| Stage | Tool | What it covers |
|---|---|---|
| In session | Security-guidance plugin | Common vulns in code Claude writes, fixed same session |
| On demand | /security-review | One-time pass on the current branch |
| On pull request | Code Review (Team/Enterprise) | Multi-agent review with full codebase context |
| In CI | Your existing SAST + dependency scanners | Language rules, supply-chain, policy enforcement |
Each later stage catches what earlier ones miss. The plugin's value is reducing the volume that reaches them.
Who can use it, and what you need
The plugin is available on all Claude Code plans. Prerequisites:
- Claude Code CLI version 2.1.144 or later
- Python 3.8 or later on your
PATH(it triespython3,python, thenpy -3) - A git repository for the directory you work in (the end-of-turn and commit reviews diff against git state; the per-edit check works anywhere)
On first run it creates a virtualenv under ~/.claude/security/ and installs the Claude Agent SDK, which needs pip and network access. If that fails, the commit review falls back to a single-shot review. By default both model-backed reviews use Claude Opus 4.7; you can override with SECURITY_REVIEW_MODEL and SG_AGENTIC_MODEL.
How to install and configure it
Install from the official Anthropic marketplace inside a session:
/plugin install security-guidance@claude-plugins-official
/reload-plugins
If Claude Code says the marketplace is not found, add it first with /plugin marketplace add anthropics/claude-plugins-official, then retry. Choose user scope so it loads in every new local session on the machine.
User-scoped plugins do not carry into Claude Code on the web or to teammates who clone the repo. To enable it for everyone, check it into the project's settings:
{
"enabledPlugins": {
"security-guidance@claude-plugins-official": true
}
}
Administrators can enforce it org-wide via enabledPlugins in managed settings.
Org-specific rules and MDM distribution
This is where the plugin earns its keep for a managed environment. Create .claude/claude-security-guidance.md and write your threat model and review checklist in plain English. The model-backed reviews load it alongside the built-in checklist:
# Security guidance for this repo
- Do not log `customer_id` or `account_number` at INFO level or above.
- All routes under `/admin` must call `require_role("admin")` before any database read.
- Use `crypto.timingSafeEqual` for token comparison instead of `===`.
The plugin reads three locations and concatenates them (combined cap 8 KB):
| Scope | Path |
|---|---|
| User | ~/.claude/claude-security-guidance.md |
| Project | .claude/claude-security-guidance.md |
| Project local | .claude/claude-security-guidance.local.md (gitignored) |
To roll a single policy across an entire fleet, push the user-scope file to ~/.claude/ through your device management (MDM) tooling. Every engineer's Claude Code then enforces the same rules without anyone touching a repo. For deterministic per-edit rules, add a .claude/security-patterns.yaml (or .json) with regex/substring patterns, path globs, and custom reminders.
One caveat worth repeating to your team: the guidance file is additive and advisory. A rule that says "ignore this vulnerability class" will not suppress those findings, and none of it hard-blocks a write. For real enforcement, pair it with a hook that blocks the edit or a CI gate.
Turning layers off
You can disable layers independently with environment variables: ENABLE_PATTERN_RULES=0, ENABLE_STOP_REVIEW=0, ENABLE_COMMIT_REVIEW=0, ENABLE_CODE_SECURITY_REVIEW=0 (all model reviews), or SECURITY_GUIDANCE_DISABLE=1 to switch the whole thing off without uninstalling.
The bottom line
The security-guidance plugin is a genuinely useful shift-left control: free, automatic, and built on the same hooks system you could write yourself. It will not replace your SAST scanner, your PR review, or human judgment, and Anthropic is refreshingly direct about that. But a 30-40% drop in security PR comments is a real reduction in reviewer load, and the ability to ship one claude-security-guidance.md policy across an entire fleet via MDM makes it practical for managed environments. If your team is already writing code with Claude, install it, codify your house rules in the guidance file, and treat it as the first layer in a defense-in-depth stack, not the last.