Cette page est affichée en anglais. Une traduction française est en cours.
SkillsMay 12, 2026·2 min de lecture

Claude Code Security Review — PR Audit Action

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

Script Depot
Script Depot · Community
Prêt pour agents

Cet actif peut être lu et installé directement par les agents

TokRepo expose une commande CLI universelle, un contrat d'installation, le metadata JSON, un plan selon l'adaptateur et le contenu raw pour aider les agents à juger l'adaptation, le risque et les prochaines actions.

Stage only · 29/100Stage only
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Stage only
Confiance
Confiance : Established
Point d'entrée
Asset
Commande CLI universelle
npx tokrepo install 8285e471-0fcb-4bb3-a945-cbcac969474e
contrat d'installationJSON metadataplan adaptateurcontenu raw
Introduction

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

  • Best for: repos that want a diff-aware security pass on every PR before merging (especially backend/services)
  • Works with: GitHub Actions, PR comment permissions, Claude API key secrets, trusted PR workflows
  • Setup time: 8 minutes

Practical Notes

  • Diff-aware mode: README says it analyzes changed files for PRs (not full repo)
  • Default model input in README references Opus 4.1 and a 20-minute ClaudeCode timeout (configurable)

Using It Without Shooting Yourself in the Foot

AI security review is most useful when it’s diff-scoped and the repo has clear trust boundaries.

Recommended rollout:

  • Enable it on internal PRs first (or require maintainer approval for external contributors) to reduce prompt-injection risk.
  • Treat findings as a review aid, not an automatic block, until you calibrate false positives.
  • Keep the action’s permissions minimal: it needs PR comment write access, not repo write access.

The README also documents customization via files (for example custom scan instructions and false-positive filtering). Adopt that once your team agrees on a “house style” for security comments.

FAQ

Q: Does it scan the whole repo? A: For PRs it focuses on changed files/diffs (per README).

Q: Is it hardened against prompt injection? A: The README explicitly warns it is not; use trusted PR policies.

Q: How do I tune false positives? A: Use the provided inputs for custom instructions / filtering files.

🙏

Source et remerciements

Source: https://github.com/anthropics/claude-code-security-review > License: MIT > GitHub stars: 4,568 · forks: 430

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

AgentShield — Security Audit for Claude Code

Security auditor for Claude Code configs. Scans `.claude/` for secrets, risky permissions, hook injection, and MCP misconfigs; outputs CI-ready reports.

SkillsCLI Tools
Script Depot

RAPTOR — Security Research Agent for Claude Code

Autonomous offensive and defensive security framework built on Claude Code. Performs static analysis, binary fuzzing, vulnerability discovery, exploit generation, and patch development. MIT.

Skills
Skill Factory

Claude Forge — Plugin Framework for Claude Code

Supercharge Claude Code with 11 AI agents, 36 commands, and 15 skills. The oh-my-zsh-inspired plugin framework with 6-layer security hooks. 5-minute install. 640+ GitHub stars.

Skills
Skill Factory

Gosec — Security Scanner for Go Source Code

A static analysis tool that inspects Go source code for security vulnerabilities by scanning the AST for patterns like SQL injection, hardcoded credentials, insecure crypto usage, and other common security issues.

Skills
Script Depot
Accueil🔍Rechercher👤Moi