Cette page est affichée en anglais. Une traduction française est en cours.
ScriptsJul 7, 2026·3 min de lecture

Defending Code — Security Scanning Harness by Anthropic

An open-source reference harness from Anthropic with skills for threat modeling, vulnerability scanning, triage, and automated patching using AI coding agents.

Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
Defending Code Overview
Commande d'installation directe
npx -y tokrepo@latest install 92d0784d-79bd-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

Introduction

Defending Code is an open-source reference harness from Anthropic that equips AI coding agents with security scanning capabilities. It provides a collection of skills for threat modeling, static analysis, vulnerability triage, and automated patch generation — turning your coding agent into a security-aware development companion.

What Defending Code Does

  • Provides agent skills for automated security scanning of codebases
  • Performs threat modeling by analyzing code architecture and data flows
  • Identifies common vulnerability patterns (injection, auth flaws, insecure defaults)
  • Generates prioritized triage reports with severity ratings and remediation guidance
  • Produces automated patches for identified vulnerabilities when fixes are straightforward

Architecture Overview

Defending Code is structured as a set of SKILL.md files and supporting scripts that integrate with AI coding agents. The threat modeling skill analyzes project structure and identifies attack surfaces. The scanning skill runs pattern-based checks against source files, generating findings in a structured format. The patching skill takes confirmed findings and generates code changes that fix the vulnerability. An autonomous scanning harness ties these skills into an end-to-end pipeline.

Self-Hosting & Configuration

  • Clone the repository and copy skill files into your project's agent skill directory
  • No external security scanning service or API key is needed for basic operation
  • Customize scan rules and severity thresholds by editing the skill configuration files
  • Integrate with CI by running the autonomous harness as a pipeline step
  • Works with Claude Code, Codex, and other agents supporting the skill standard

Key Features

  • End-to-end pipeline from threat modeling through scanning to automated patching
  • Customizable scanning rules for project-specific vulnerability patterns
  • Structured output format compatible with security dashboards and issue trackers
  • Autonomous scanning mode that runs without manual prompting
  • Official reference implementation from Anthropic with documented security practices

Comparison with Similar Tools

  • Semgrep — a standalone static analysis engine; Defending Code provides agent-integrated scanning skills
  • Snyk — SaaS-based vulnerability scanning; Defending Code runs locally with no external service
  • SonarQube — continuous code quality inspection; Defending Code is agent-native and focuses on AI-assisted remediation
  • CodeQL — GitHub's semantic analysis engine; Defending Code is lighter weight and produces actionable patches directly

FAQ

Q: Does this replace dedicated security scanning tools? A: No. It provides a complementary agent-driven approach. For compliance-grade scanning, combine it with established tools like Semgrep or CodeQL.

Q: Which languages are supported for scanning? A: The skills work with any language the underlying coding agent can analyze. Pattern coverage is broadest for Python, JavaScript/TypeScript, Go, and Java.

Q: Can the autonomous harness run in CI? A: Yes. Configure it as a CI step to scan on every push or pull request, with findings reported as structured output.

Q: Is this production-ready? A: It is a reference harness intended for evaluation and customization. Adapt the skills and rules to your project's specific security requirements.

Sources

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires