Scripts2026年7月7日·1 分钟阅读

Defending Code — Security Scanning Harness by Anthropic

An open-source reference harness from Anthropic with skills for threat modeling, vulnerability scanning, triage, and automated patching using AI coding agents.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Defending Code Overview
直接安装命令
npx -y tokrepo@latest install 92d0784d-79bd-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

Defending Code is an open-source reference harness from Anthropic that equips AI coding agents with security scanning capabilities. It provides a collection of skills for threat modeling, static analysis, vulnerability triage, and automated patch generation — turning your coding agent into a security-aware development companion.

What Defending Code Does

  • Provides agent skills for automated security scanning of codebases
  • Performs threat modeling by analyzing code architecture and data flows
  • Identifies common vulnerability patterns (injection, auth flaws, insecure defaults)
  • Generates prioritized triage reports with severity ratings and remediation guidance
  • Produces automated patches for identified vulnerabilities when fixes are straightforward

Architecture Overview

Defending Code is structured as a set of SKILL.md files and supporting scripts that integrate with AI coding agents. The threat modeling skill analyzes project structure and identifies attack surfaces. The scanning skill runs pattern-based checks against source files, generating findings in a structured format. The patching skill takes confirmed findings and generates code changes that fix the vulnerability. An autonomous scanning harness ties these skills into an end-to-end pipeline.

Self-Hosting & Configuration

  • Clone the repository and copy skill files into your project's agent skill directory
  • No external security scanning service or API key is needed for basic operation
  • Customize scan rules and severity thresholds by editing the skill configuration files
  • Integrate with CI by running the autonomous harness as a pipeline step
  • Works with Claude Code, Codex, and other agents supporting the skill standard

Key Features

  • End-to-end pipeline from threat modeling through scanning to automated patching
  • Customizable scanning rules for project-specific vulnerability patterns
  • Structured output format compatible with security dashboards and issue trackers
  • Autonomous scanning mode that runs without manual prompting
  • Official reference implementation from Anthropic with documented security practices

Comparison with Similar Tools

  • Semgrep — a standalone static analysis engine; Defending Code provides agent-integrated scanning skills
  • Snyk — SaaS-based vulnerability scanning; Defending Code runs locally with no external service
  • SonarQube — continuous code quality inspection; Defending Code is agent-native and focuses on AI-assisted remediation
  • CodeQL — GitHub's semantic analysis engine; Defending Code is lighter weight and produces actionable patches directly

FAQ

Q: Does this replace dedicated security scanning tools? A: No. It provides a complementary agent-driven approach. For compliance-grade scanning, combine it with established tools like Semgrep or CodeQL.

Q: Which languages are supported for scanning? A: The skills work with any language the underlying coding agent can analyze. Pattern coverage is broadest for Python, JavaScript/TypeScript, Go, and Java.

Q: Can the autonomous harness run in CI? A: Yes. Configure it as a CI step to scan on every push or pull request, with findings reported as structured output.

Q: Is this production-ready? A: It is a reference harness intended for evaluation and customization. Adapt the skills and rules to your project's specific security requirements.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产