Introduction
Defending Code is an open-source reference harness from Anthropic that equips AI coding agents with security scanning capabilities. It provides a collection of skills for threat modeling, static analysis, vulnerability triage, and automated patch generation — turning your coding agent into a security-aware development companion.
What Defending Code Does
- Provides agent skills for automated security scanning of codebases
- Performs threat modeling by analyzing code architecture and data flows
- Identifies common vulnerability patterns (injection, auth flaws, insecure defaults)
- Generates prioritized triage reports with severity ratings and remediation guidance
- Produces automated patches for identified vulnerabilities when fixes are straightforward
Architecture Overview
Defending Code is structured as a set of SKILL.md files and supporting scripts that integrate with AI coding agents. The threat modeling skill analyzes project structure and identifies attack surfaces. The scanning skill runs pattern-based checks against source files, generating findings in a structured format. The patching skill takes confirmed findings and generates code changes that fix the vulnerability. An autonomous scanning harness ties these skills into an end-to-end pipeline.
Self-Hosting & Configuration
- Clone the repository and copy skill files into your project's agent skill directory
- No external security scanning service or API key is needed for basic operation
- Customize scan rules and severity thresholds by editing the skill configuration files
- Integrate with CI by running the autonomous harness as a pipeline step
- Works with Claude Code, Codex, and other agents supporting the skill standard
Key Features
- End-to-end pipeline from threat modeling through scanning to automated patching
- Customizable scanning rules for project-specific vulnerability patterns
- Structured output format compatible with security dashboards and issue trackers
- Autonomous scanning mode that runs without manual prompting
- Official reference implementation from Anthropic with documented security practices
Comparison with Similar Tools
- Semgrep — a standalone static analysis engine; Defending Code provides agent-integrated scanning skills
- Snyk — SaaS-based vulnerability scanning; Defending Code runs locally with no external service
- SonarQube — continuous code quality inspection; Defending Code is agent-native and focuses on AI-assisted remediation
- CodeQL — GitHub's semantic analysis engine; Defending Code is lighter weight and produces actionable patches directly
FAQ
Q: Does this replace dedicated security scanning tools? A: No. It provides a complementary agent-driven approach. For compliance-grade scanning, combine it with established tools like Semgrep or CodeQL.
Q: Which languages are supported for scanning? A: The skills work with any language the underlying coding agent can analyze. Pattern coverage is broadest for Python, JavaScript/TypeScript, Go, and Java.
Q: Can the autonomous harness run in CI? A: Yes. Configure it as a CI step to scan on every push or pull request, with findings reported as structured output.
Q: Is this production-ready? A: It is a reference harness intended for evaluation and customization. Adapt the skills and rules to your project's specific security requirements.