Anthropic Adds Security Scanning to Claude
Anthropic has introduced an embedded security scanning feature for its Claude AI model, which is currently in a limited beta. The feature automatically scans AI-generated code to flag potential vulnerabilities and suggest patches. The tool is aimed at providing an integrated security layer for developers and enterprise teams using Claude for code generation.
- The new feature goes beyond traditional static application security testing (SAST) by reasoning about code like a human researcher, enabling it to find complex vulnerabilities such as logic flaws and broken access controls that pattern-matching tools often miss. Every potential vulnerability identified by Claude undergoes a multi-stage verification process where the model attempts to prove or disprove its own findings to reduce false positives before they are presented to a developer. - Anthropic has been internally using and refining this capability by entering Claude in "Capture the Flag" cybersecurity competitions and partnering with the Pacific Northwest National Laboratory to test its use in defending critical infrastructure. During internal testing with its Claude Opus 4.6 model, Anthropic discovered over 500 vulnerabilities in production open-source codebases. - The feature provides developers with targeted patch suggestions for any vulnerabilities it finds, and all proposed fixes require human review and approval before being implemented. Findings are assigned severity ratings to help teams prioritize the most critical fixes first. - This tool is part of a broader industry trend where foundation model providers are embedding security features directly into their platforms. OpenAI has been beta-testing a similar agentic security researcher named Aardvark and has implemented safeguards for its GPT-5.3-Codex model due to its high cybersecurity capabilities. - Studies have shown that AI-generated code can contain significantly more vulnerabilities than human-written code; one report found 45% of AI-generated code samples introduced flaws. Common issues include missing input validation, injection flaws, and the use of dependencies with known vulnerabilities. - The announcement of Claude Code Security had a notable impact on the stock market, causing share prices of several publicly traded cybersecurity companies like CrowdStrike, Cloudflare, and Okta to drop, signaling investor concern about disruption to the existing security vendor landscape. - In addition to a command-line tool for on-demand scans, Anthropic offers a GitHub Actions integration that automatically scans pull requests, allowing teams to embed security checks directly into their CI/CD pipelines.
