# Defending Code — Security Scanning Harness by Anthropic > An open-source reference harness from Anthropic with skills for threat modeling, vulnerability scanning, triage, and automated patching using AI coding agents. ## Install Save as a script file and run: # Defending Code — Security Scanning Harness by Anthropic ## Quick Use ```bash git clone https://github.com/anthropics/defending-code-reference-harness.git cd defending-code-reference-harness # Install skills into your project cp -r skills/ /path/to/your-project/.claude/skills/ # Run a security scan from your coding agent # Prompt: "/security-scan" ``` ## Introduction Defending Code is an open-source reference harness from Anthropic that equips AI coding agents with security scanning capabilities. It provides a collection of skills for threat modeling, static analysis, vulnerability triage, and automated patch generation — turning your coding agent into a security-aware development companion. ## What Defending Code Does - Provides agent skills for automated security scanning of codebases - Performs threat modeling by analyzing code architecture and data flows - Identifies common vulnerability patterns (injection, auth flaws, insecure defaults) - Generates prioritized triage reports with severity ratings and remediation guidance - Produces automated patches for identified vulnerabilities when fixes are straightforward ## Architecture Overview Defending Code is structured as a set of SKILL.md files and supporting scripts that integrate with AI coding agents. The threat modeling skill analyzes project structure and identifies attack surfaces. The scanning skill runs pattern-based checks against source files, generating findings in a structured format. The patching skill takes confirmed findings and generates code changes that fix the vulnerability. An autonomous scanning harness ties these skills into an end-to-end pipeline. ## Self-Hosting & Configuration - Clone the repository and copy skill files into your project's agent skill directory - No external security scanning service or API key is needed for basic operation - Customize scan rules and severity thresholds by editing the skill configuration files - Integrate with CI by running the autonomous harness as a pipeline step - Works with Claude Code, Codex, and other agents supporting the skill standard ## Key Features - End-to-end pipeline from threat modeling through scanning to automated patching - Customizable scanning rules for project-specific vulnerability patterns - Structured output format compatible with security dashboards and issue trackers - Autonomous scanning mode that runs without manual prompting - Official reference implementation from Anthropic with documented security practices ## Comparison with Similar Tools - **Semgrep** — a standalone static analysis engine; Defending Code provides agent-integrated scanning skills - **Snyk** — SaaS-based vulnerability scanning; Defending Code runs locally with no external service - **SonarQube** — continuous code quality inspection; Defending Code is agent-native and focuses on AI-assisted remediation - **CodeQL** — GitHub's semantic analysis engine; Defending Code is lighter weight and produces actionable patches directly ## FAQ **Q: Does this replace dedicated security scanning tools?** A: No. It provides a complementary agent-driven approach. For compliance-grade scanning, combine it with established tools like Semgrep or CodeQL. **Q: Which languages are supported for scanning?** A: The skills work with any language the underlying coding agent can analyze. Pattern coverage is broadest for Python, JavaScript/TypeScript, Go, and Java. **Q: Can the autonomous harness run in CI?** A: Yes. Configure it as a CI step to scan on every push or pull request, with findings reported as structured output. **Q: Is this production-ready?** A: It is a reference harness intended for evaluation and customization. Adapt the skills and rules to your project's specific security requirements. ## Sources - https://github.com/anthropics/defending-code-reference-harness - https://github.com/anthropics/defending-code-reference-harness/blob/main/README.md --- Source: https://tokrepo.com/en/workflows/asset-92d0784d Author: Script Depot