SkillsMay 12, 2026·2 min read

Claude Code Security Review — PR Audit Action

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

Script Depot
Script Depot · Community
Agent ready

This asset can be read and installed directly by agents

TokRepo exposes a universal CLI command, install contract, metadata JSON, adapter-aware plan, and raw content links so agents can judge fit, risk, and next actions.

Stage only · 29/100Stage only
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Stage only
Trust
Trust: Established
Entrypoint
Asset
Universal CLI install command
npx tokrepo install 8285e471-0fcb-4bb3-a945-cbcac969474e
install contractmetadata JSONadapter planraw content
Intro

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

  • Best for: repos that want a diff-aware security pass on every PR before merging (especially backend/services)
  • Works with: GitHub Actions, PR comment permissions, Claude API key secrets, trusted PR workflows
  • Setup time: 8 minutes

Practical Notes

  • Diff-aware mode: README says it analyzes changed files for PRs (not full repo)
  • Default model input in README references Opus 4.1 and a 20-minute ClaudeCode timeout (configurable)

Using It Without Shooting Yourself in the Foot

AI security review is most useful when it’s diff-scoped and the repo has clear trust boundaries.

Recommended rollout:

  • Enable it on internal PRs first (or require maintainer approval for external contributors) to reduce prompt-injection risk.
  • Treat findings as a review aid, not an automatic block, until you calibrate false positives.
  • Keep the action’s permissions minimal: it needs PR comment write access, not repo write access.

The README also documents customization via files (for example custom scan instructions and false-positive filtering). Adopt that once your team agrees on a “house style” for security comments.

FAQ

Q: Does it scan the whole repo? A: For PRs it focuses on changed files/diffs (per README).

Q: Is it hardened against prompt injection? A: The README explicitly warns it is not; use trusted PR policies.

Q: How do I tune false positives? A: Use the provided inputs for custom instructions / filtering files.

🙏

Source & Thanks

Source: https://github.com/anthropics/claude-code-security-review > License: MIT > GitHub stars: 4,568 · forks: 430

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

AgentShield — Security Audit for Claude Code

Security auditor for Claude Code configs. Scans `.claude/` for secrets, risky permissions, hook injection, and MCP misconfigs; outputs CI-ready reports.

SkillsCLI Tools
Script Depot

RAPTOR — Security Research Agent for Claude Code

Autonomous offensive and defensive security framework built on Claude Code. Performs static analysis, binary fuzzing, vulnerability discovery, exploit generation, and patch development. MIT.

Skills
Skill Factory

Claude Forge — Plugin Framework for Claude Code

Supercharge Claude Code with 11 AI agents, 36 commands, and 15 skills. The oh-my-zsh-inspired plugin framework with 6-layer security hooks. 5-minute install. 640+ GitHub stars.

Skills
Skill Factory

Gosec — Security Scanner for Go Source Code

A static analysis tool that inspects Go source code for security vulnerabilities by scanning the AST for patterns like SQL injection, hardcoded credentials, insecure crypto usage, and other common security issues.

Skills
Script Depot
Home🔍Search👤Me