Cette page est affichée en anglais. Une traduction française est en cours.
SkillsMay 12, 2026·2 min de lecture

Claude Code Security Review — PR Audit Action

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

Prêt pour agents

Staging sûr pour cet actif

Cet actif est d'abord staged. Le prompt copié demande à l'agent d'inspecter les fichiers staged avant d'activer scripts, config MCP ou config globale.

Stage only · 29/100Policy : staging
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Stage only
Confiance
Confiance : Established
Point d'entrée
Asset
Commande de staging sûr
npx -y tokrepo@latest install 8285e471-0fcb-4bb3-a945-cbcac969474e --target codex

Stage les fichiers d'abord; l'activation exige la revue du README et du plan staged.

Introduction

Claude Code Security Reviewer is a GitHub Action that scans PR diffs for security issues and comments findings on the PR using a Claude API key.

  • Best for: repos that want a diff-aware security pass on every PR before merging (especially backend/services)
  • Works with: GitHub Actions, PR comment permissions, Claude API key secrets, trusted PR workflows
  • Setup time: 8 minutes

Practical Notes

  • Diff-aware mode: README says it analyzes changed files for PRs (not full repo)
  • Default model input in README references Opus 4.1 and a 20-minute ClaudeCode timeout (configurable)

Using It Without Shooting Yourself in the Foot

AI security review is most useful when it’s diff-scoped and the repo has clear trust boundaries.

Recommended rollout:

  • Enable it on internal PRs first (or require maintainer approval for external contributors) to reduce prompt-injection risk.
  • Treat findings as a review aid, not an automatic block, until you calibrate false positives.
  • Keep the action’s permissions minimal: it needs PR comment write access, not repo write access.

The README also documents customization via files (for example custom scan instructions and false-positive filtering). Adopt that once your team agrees on a “house style” for security comments.

FAQ

Q: Does it scan the whole repo? A: For PRs it focuses on changed files/diffs (per README).

Q: Is it hardened against prompt injection? A: The README explicitly warns it is not; use trusted PR policies.

Q: How do I tune false positives? A: Use the provided inputs for custom instructions / filtering files.

🙏

Source et remerciements

Source: https://github.com/anthropics/claude-code-security-review > License: MIT > GitHub stars: 4,568 · forks: 430

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires