Esta página se muestra en inglés. Una traducción al español está en curso.
SkillsMay 12, 2026·2 min de lectura

Claude Code Security Review — PR Audit Action

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

Listo para agents

Staging seguro para este activo

Este activo primero queda en staging. El prompt copiado pide inspeccionar los archivos staged antes de activar scripts, config MCP o config global.

Stage only · 29/100Política: staging
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Stage only
Confianza
Confianza: Established
Entrada
Asset
Comando de staging seguro
npx -y tokrepo@latest install 8285e471-0fcb-4bb3-a945-cbcac969474e --target codex

Primero deja archivos en staging; la activación requiere revisar el README y el plan staged.

Introducción

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

  • Best for: repos that want a diff-aware security pass on every PR before merging (especially backend/services)
  • Works with: GitHub Actions, PR comment permissions, Claude API key secrets, trusted PR workflows
  • Setup time: 8 minutes

Practical Notes

  • Diff-aware mode: README says it analyzes changed files for PRs (not full repo)
  • Default model input in README references Opus 4.1 and a 20-minute ClaudeCode timeout (configurable)

Using It Without Shooting Yourself in the Foot

AI security review is most useful when it’s diff-scoped and the repo has clear trust boundaries.

Recommended rollout:

  • Enable it on internal PRs first (or require maintainer approval for external contributors) to reduce prompt-injection risk.
  • Treat findings as a review aid, not an automatic block, until you calibrate false positives.
  • Keep the action’s permissions minimal: it needs PR comment write access, not repo write access.

The README also documents customization via files (for example custom scan instructions and false-positive filtering). Adopt that once your team agrees on a “house style” for security comments.

FAQ

Q: Does it scan the whole repo? A: For PRs it focuses on changed files/diffs (per README).

Q: Is it hardened against prompt injection? A: The README explicitly warns it is not; use trusted PR policies.

Q: How do I tune false positives? A: Use the provided inputs for custom instructions / filtering files.

🙏

Fuente y agradecimientos

Source: https://github.com/anthropics/claude-code-security-review > License: MIT > GitHub stars: 4,568 · forks: 430

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados