Do Claude Code Security Reviews Measure Up?

If there’s anything that gives a seasoned application security (AppSec) professional indigestion these days, it’s the thought of AI-assisted coding layered on top of an already insecure development pipeline. The cherry on top is that an increasing amount of this work is being done to support agentic artificial intelligence (AI) and other AI-centered applications — all of which are introducing novel vulnerabilities via new attack surfaces, like the Modern Context Protocol (MCP).

It’s a veritable threat sundae, but most security pros will have to choke it down if they want to stay relevant in today’s business environment.

“Today, everyone in product and engineering should be paranoid-worried that their lunch is going to be eaten by someone who is doing it faster with AI,” says Larry Maccherone, a longtime DevSecOps advocate who’s currently building a stealth-mode startup, Transformation.dev, aimed at security at speed. “They’ve been ingrained to slow down so they can do it more securely, but if it doesn’t accelerate development, they’re probably not going to do it right now. And I’m maybe among 1% of the people in security who will say that’s the right business decision.”

The good news is that, despite the trouble AI-assisted coding is introducing to the software engineering ecosystem, it also has the potential to help AppSec teams make significant headway on issues that have lingered for years, potentially heading off risks emerging from vibe-coding patterns. 

Related:Minimal, Hardened & Updated Daily: The New Standard for Secure Containers

Experts say that new security review features introduced by Anthropic into its Claude Code platform offer an early glimpse of the direction that the AppSec world needs to take to stay apace of this kind of breakneck AI-assisted development. It’s essentially vibe coding mashed up with platform engineering, which is the embedding of security directly into the tools and pipelines that developers use.

As Maccherone explains, the era of vibe coding is going to solidify the theory that strong AppSec has to be synonymous with platform engineering.

“Platform engineering now suddenly becomes much, much more important — pretty much the center of not just AppSec but all security,” he says. “It’s the only way that we’re going to get security to keep up and not fall any further behind with AI development.”

Claude Security Reviews Have Entered the Chat

Introduced earlier this month, the new Claude Code security review capability has been universally lauded by the software engineering and AppSec community as a great first step toward embedding security checks into AI-assisted development workflows.

Related:Cognida.ai Launches Codien: An AI Agent to Modernize Legacy Test Automation and Fast-Track Test Creation

The idea is to turn the same intuitive automation that developers use for vibe coding toward security issues. The review feature makes it possible to prompt Claude from the platform’s terminal to run ad-hoc checks for common vulnerability patterns in a codebase, followed by with prompts for implementing fixes for issues once flaws are found. The review function can also be paired with a GitHub action for Claude Code that automatically triggers review of code changes on every pull request, which essentially sets up the guardrails to have that baseline review done before anything hits production.

This could provide a leg up for many organizations in streamlining code review and baking in better visibility into flaws super early in the development pipeline, whether or not vibe coding is prevalent. David Matousek, an IT security architect for the Office of the Comptroller of the Commonwealth of Massachusetts, says he’s still testing the capability but sees it as a potential game changer for security teams.

“When I typically review application code, it’s been cobbled together from a variety of sources, Web pages, tutorials, and AI code assistants,” he says. “Just the fact that I can open a code repository and use features like this provides me with information on what vulnerabilities exist. Now Claude Code makes the next step even easier. It’s quite capable of creating new patterns to analyze the codebase for and provide results instantly.”

Related:AI Tackles Binary Code Challenges to Fortify Supply Chain Security

For now, the review is pretty basic and only meant to pick up the kinds of flaws typically tackled by traditional static vulnerability scanning capabilities — looking for classic problems like SQL injection, cross-site scripting, authentication and authorization, insecure data handling, and dependency flaws. It’s the quick-and-dirty answer to scaling up baseline reviews, but the jury’s still out on what part of the AppSec tool chain it will replace, if any.

“Claude’s security review command is a low-friction way to catch common mistakes before pushing code, but its suggestions are based on training data that may not include the latest vulnerabilities,” says Kostas Diamantidis, software developer engineer at Cyberhaven. “Compared to dedicated SAST tools, the value proposition is different, so AI code review should be treated as a companion to human reviews and other security tooling, not a replacement.”

For his part, Pieter Danhieux, CEO of Secure Code Warrior, says the development of AI-assisted static code analysis was inevitable. He’s surprised how quickly it has been introduced since everyone in the industry started seeing the writing on the wall.

“I think a year ago everyone knew that static test tools would be dead eventually. It’s a commodity, and LLM was bound to take over,” he says. “It happened faster than I thought it would, and it is absolutely a positive thing because these are things that are 20 years old, and it’s about time they go away.”

Nevertheless, he and many others in the secure coding community agree that the first draft of this and other AI-assisted code reviews will have some pretty big limitations.

“The coverage remains to be seen, but it’s worth noting that Anthropic reviews appear to focus on classic security issues, like SQL injection and cross-site scripting,” says Diana Kelley, CISO at Noma Security. “While these issues should be removed from vibe-coded apps, it doesn’t look like this tool will catch more complex issues, like business logic errors. In other words, it’s a good start, but vibe coders should also perform dynamic security testing before launch.”

Engineering organizations should also consider that enterprise AI capabilities will introduce new security risks into applications that won’t be covered by traditional scanning methods — whether assisted by AI or not, Kelley says. Danhieux concurs.

“New vulnerabilities with AI are going to appear because with the introduction of every new technology, there are new security problems, and we’ve already seen a bit of that with hallucinations and prompt injections,” he says. “We had it when we released Web, we had it when we released mobile, we are going to have it when we’re releasing MCP and AI features.”

Next Steps for AppSec

All those caveats about Claude’s security review benefits make clear that the old security mantra is just as much at play here as anywhere else: AI-assisted security review is not going to be a panacea, magic wand, silver bullet, easy button, etc., for a comprehensive AppSec program.

“Embedding security checks in Claude is a great step and should help with static testing, but it isn’t a replacement for a full, secure software development life cycle,” Kelley says.

In many ways the Claude feature drop is just another incremental step toward the platform engineering ideal. It’s reaching the developer where they work and how they work in the vibe-coding era. But not only are other tools needed to cover what’s missing in coverage, there will always be a need for the belt-and-suspenders approach to software security for the sake of accountability and sound risk management, says Danny Allan, CTO for Snyk.

“You should not trust what is generating the code to secure the code. Because if you hallucinated one time, you’re likely to hallucinate again,” Allan says. “Similarly, I also worry about nondeterministic mechanisms being your deterministic guardrails. And by definition, these are nondeterministic.”

That’s not to say that the other methods of checking code security won’t continue to be embedded in tool chains and automated through AI, but that there will need to be layers of controls and secure gates across the development pipeline.

“You want to ensure the guardrails are in place so that no matter how or where the code is being created — it doesn’t matter by the way, whether it’s being created by a vibe-coding tool or whether it’s by a developer writing code — you want to make sure that you have gates implemented.”

Security experts also always need to guide processes and verify that they’re working properly.

“The expertise needed to review, refine, and secure the generated code is still going to be critical to adoption,” says Nicole Carignan, senior vice president of security and AI strategy and field CISO for Darktrace. “We’ll need professionals who bring together security experience, development skills, and familiarity with AI-assisted code development tools.”

As a departmental function, Matousek sees AppSec evolving into a role that helps evangelize new prompt and agentic secure coding patterns. Forward-thinking security engineers can start even now with that evolution by helping developers think about how they start projects in Claude and elsewhere.

“They need to think about how they start projects,” he says. “I found that by using a Security Manifesto to instruct Claude a basic framework of ‘Secure by Design,’ it generates more secure code.”