Esta página se muestra en inglés. Una traducción al español está en curso.
SkillsMay 12, 2026·2 min de lectura

Claude Code Security Review — PR Audit Action

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

Script Depot
Script Depot · Community
Listo para agents

Este activo puede ser leído e instalado directamente por agents

TokRepo expone un comando CLI universal, contrato de instalación, metadata JSON, plan según adaptador y contenido raw para que los agents evalúen compatibilidad, riesgo y próximos pasos.

Stage only · 29/100Stage only
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Stage only
Confianza
Confianza: Established
Entrada
Asset
Comando CLI universal
npx tokrepo install 8285e471-0fcb-4bb3-a945-cbcac969474e
contrato de instalaciónJSON de metadataplan adaptadorcontenido raw
Introducción

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

  • Best for: repos that want a diff-aware security pass on every PR before merging (especially backend/services)
  • Works with: GitHub Actions, PR comment permissions, Claude API key secrets, trusted PR workflows
  • Setup time: 8 minutes

Practical Notes

  • Diff-aware mode: README says it analyzes changed files for PRs (not full repo)
  • Default model input in README references Opus 4.1 and a 20-minute ClaudeCode timeout (configurable)

Using It Without Shooting Yourself in the Foot

AI security review is most useful when it’s diff-scoped and the repo has clear trust boundaries.

Recommended rollout:

  • Enable it on internal PRs first (or require maintainer approval for external contributors) to reduce prompt-injection risk.
  • Treat findings as a review aid, not an automatic block, until you calibrate false positives.
  • Keep the action’s permissions minimal: it needs PR comment write access, not repo write access.

The README also documents customization via files (for example custom scan instructions and false-positive filtering). Adopt that once your team agrees on a “house style” for security comments.

FAQ

Q: Does it scan the whole repo? A: For PRs it focuses on changed files/diffs (per README).

Q: Is it hardened against prompt injection? A: The README explicitly warns it is not; use trusted PR policies.

Q: How do I tune false positives? A: Use the provided inputs for custom instructions / filtering files.

🙏

Fuente y agradecimientos

Source: https://github.com/anthropics/claude-code-security-review > License: MIT > GitHub stars: 4,568 · forks: 430

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

AgentShield — Security Audit for Claude Code

Security auditor for Claude Code configs. Scans `.claude/` for secrets, risky permissions, hook injection, and MCP misconfigs; outputs CI-ready reports.

SkillsCLI Tools
Script Depot

RAPTOR — Security Research Agent for Claude Code

Autonomous offensive and defensive security framework built on Claude Code. Performs static analysis, binary fuzzing, vulnerability discovery, exploit generation, and patch development. MIT.

Skills
Skill Factory

Claude Forge — Plugin Framework for Claude Code

Supercharge Claude Code with 11 AI agents, 36 commands, and 15 skills. The oh-my-zsh-inspired plugin framework with 6-layer security hooks. 5-minute install. 640+ GitHub stars.

Skills
Skill Factory

Gosec — Security Scanner for Go Source Code

A static analysis tool that inspects Go source code for security vulnerabilities by scanning the AST for patterns like SQL injection, hardcoded credentials, insecure crypto usage, and other common security issues.

Skills
Script Depot
Inicio🔍Buscar👤Yo