[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72150":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},72150,"claude-code-security-review","anthropics\u002Fclaude-code-security-review","anthropics","An AI-powered security review GitHub Action using Claude to analyze code changes for security vulnerabilities.","",null,"Python",5180,531,39,0,216,288,612,648,39.18,"MIT License",false,"main",true,[],"2026-06-12 02:02:59","# Claude Code Security Reviewer\n\nAn AI-powered security review GitHub Action using Claude to analyze code changes for security vulnerabilities. This action provides intelligent, context-aware security analysis for pull requests using Anthropic's Claude Code tool for deep semantic security analysis. See our blog post [here](https:\u002F\u002Fwww.anthropic.com\u002Fnews\u002Fautomate-security-reviews-with-claude-code) for more details.\n\n## Features\n\n- **AI-Powered Analysis**: Uses Claude's advanced reasoning to detect security vulnerabilities with deep semantic understanding\n- **Diff-Aware Scanning**: For PRs, only analyzes changed files\n- **PR Comments**: Automatically comments on PRs with security findings\n- **Contextual Understanding**: Goes beyond pattern matching to understand code semantics\n- **Language Agnostic**: Works with any programming language\n- **False Positive Filtering**: Advanced filtering to reduce noise and focus on real vulnerabilities\n\n## Quick Start\n\nAdd this to your repository's `.github\u002Fworkflows\u002Fsecurity.yml`:\n\n```yaml\nname: Security Review\n\npermissions:\n pull-requests: write # Needed for leaving PR comments\n contents: read\n\non:\n pull_request:\n\njobs:\n security:\n runs-on: ubuntu-latest\n steps:\n - uses: actions\u002Fcheckout@v4\n with:\n ref: ${{ github.event.pull_request.head.sha || github.sha }}\n fetch-depth: 2\n \n - uses: anthropics\u002Fclaude-code-security-review@main\n with:\n comment-pr: true\n claude-api-key: ${{ secrets.CLAUDE_API_KEY }}\n```\n\n## Security Considerations\n\nThis action is not hardened against prompt injection attacks and should only be used to review trusted PRs. We recommend [configuring your repository](https:\u002F\u002Fdocs.github.com\u002Fen\u002Frepositories\u002Fmanaging-your-repositorys-settings-and-features\u002Fenabling-features-for-your-repository\u002Fmanaging-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories) to use the \"Require approval for all external contributors\" option to ensure workflows only run after a maintainer has reviewed the PR.\n\n## Configuration Options\n\n### Action Inputs\n\n| Input | Description | Default | Required |\n|-------|-------------|---------|----------|\n| `claude-api-key` | Anthropic Claude API key for security analysis. \u003Cbr>*Note*: This API key needs to be enabled for both the Claude API and Claude Code usage. | None | Yes |\n| `comment-pr` | Whether to comment on PRs with findings | `true` | No |\n| `upload-results` | Whether to upload results as artifacts | `true` | No |\n| `exclude-directories` | Comma-separated list of directories to exclude from scanning | None | No |\n| `claude-model` | Claude [model name](https:\u002F\u002Fdocs.anthropic.com\u002Fen\u002Fdocs\u002Fabout-claude\u002Fmodels\u002Foverview#model-names) to use. Defaults to Opus 4.1. | `claude-opus-4-1-20250805` | No |\n| `claudecode-timeout` | Timeout for ClaudeCode analysis in minutes | `20` | No |\n| `run-every-commit` | Run ClaudeCode on every commit (skips cache check). Warning: May increase false positives on PRs with many commits. | `false` | No |\n| `false-positive-filtering-instructions` | Path to custom false positive filtering instructions text file | None | No |\n| `custom-security-scan-instructions` | Path to custom security scan instructions text file to append to audit prompt | None | No |\n\n### Action Outputs\n\n| Output | Description |\n|--------|-------------|\n| `findings-count` | Total number of security findings |\n| `results-file` | Path to the results JSON file |\n\n## How It Works\n\n### Architecture\n\n```\nclaudecode\u002F\n├── github_action_audit.py # Main audit script for GitHub Actions\n├── prompts.py # Security audit prompt templates\n├── findings_filter.py # False positive filtering logic\n├── claude_api_client.py # Claude API client for false positive filtering\n├── json_parser.py # Robust JSON parsing utilities\n├── requirements.txt # Python dependencies\n├── test_*.py # Test suites\n└── evals\u002F # Eval tooling to test CC on arbitrary PRs\n```\n\n### Workflow\n\n1. **PR Analysis**: When a pull request is opened, Claude analyzes the diff to understand what changed\n2. **Contextual Review**: Claude examines the code changes in context, understanding the purpose and potential security implications\n3. **Finding Generation**: Security issues are identified with detailed explanations, severity ratings, and remediation guidance\n4. **False Positive Filtering**: Advanced filtering removes low-impact or false positive prone findings to reduce noise\n5. **PR Comments**: Findings are posted as review comments on the specific lines of code\n\n## Security Analysis Capabilities\n\n### Types of Vulnerabilities Detected\n\n- **Injection Attacks**: SQL injection, command injection, LDAP injection, XPath injection, NoSQL injection, XXE\n- **Authentication & Authorization**: Broken authentication, privilege escalation, insecure direct object references, bypass logic, session flaws\n- **Data Exposure**: Hardcoded secrets, sensitive data logging, information disclosure, PII handling violations\n- **Cryptographic Issues**: Weak algorithms, improper key management, insecure random number generation\n- **Input Validation**: Missing validation, improper sanitization, buffer overflows\n- **Business Logic Flaws**: Race conditions, time-of-check-time-of-use (TOCTOU) issues\n- **Configuration Security**: Insecure defaults, missing security headers, permissive CORS\n- **Supply Chain**: Vulnerable dependencies, typosquatting risks\n- **Code Execution**: RCE via deserialization, pickle injection, eval injection\n- **Cross-Site Scripting (XSS)**: Reflected, stored, and DOM-based XSS\n\n### False Positive Filtering\n\nThe tool automatically excludes a variety of low-impact and false positive prone findings to focus on high-impact vulnerabilities:\n- Denial of Service vulnerabilities\n- Rate limiting concerns\n- Memory\u002FCPU exhaustion issues\n- Generic input validation without proven impact\n- Open redirect vulnerabilities\n\nThe false positive filtering can also be tuned as needed for a given project's security goals.\n\n### Benefits Over Traditional SAST\n\n- **Contextual Understanding**: Understands code semantics and intent, not just patterns\n- **Lower False Positives**: AI-powered analysis reduces noise by understanding when code is actually vulnerable\n- **Detailed Explanations**: Provides clear explanations of why something is a vulnerability and how to fix it\n- **Adaptive Learning**: Can be customized with organization-specific security requirements\n\n## Installation & Setup\n\n### GitHub Actions\n\nFollow the Quick Start guide above. The action handles all dependencies automatically.\n\n### Local Development\n\nTo run the security scanner locally against a specific PR, see the [evaluation framework documentation](claudecode\u002Fevals\u002FREADME.md).\n\n\u003Ca id=\"security-review-slash-command\">\u003C\u002Fa>\n\n## Claude Code Integration: \u002Fsecurity-review Command \n\nBy default, Claude Code ships a `\u002Fsecurity-review` [slash command](https:\u002F\u002Fdocs.anthropic.com\u002Fen\u002Fdocs\u002Fclaude-code\u002Fslash-commands) that provides the same security analysis capabilities as the GitHub Action workflow, but integrated directly into your Claude Code development environment. To use this, simply run `\u002Fsecurity-review` to perform a comprehensive security review of all pending changes.\n\n### Customizing the Command\n\nThe default `\u002Fsecurity-review` command is designed to work well in most cases, but it can also be customized based on your specific security needs. To do so: \n\n1. Copy the [`security-review.md`](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code-security-review\u002Fblob\u002Fmain\u002F.claude\u002Fcommands\u002Fsecurity-review.md?plain=1) file from this repository to your project's `.claude\u002Fcommands\u002F` folder. \n2. Edit `security-review.md` to customize the security analysis. For example, you could add additional organization-specific directions to the false positive filtering instructions. \n\n## Custom Scanning Configuration\n\nIt is also possible to configure custom scanning and false positive filtering instructions, see the [`docs\u002F`](docs\u002F) folder for more details. \n\n## Testing\n\nRun the test suite to validate functionality:\n\n```bash\ncd claude-code-security-review\n# Run all tests\npytest claudecode -v\n```\n\n## Support\n\nFor issues or questions:\n- Open an issue in this repository\n- Check the [GitHub Actions logs](https:\u002F\u002Fdocs.github.com\u002Fen\u002Factions\u002Fmonitoring-and-troubleshooting-workflows\u002Fviewing-workflow-run-history) for debugging information\n\n## License\n\nMIT License - see [LICENSE](LICENSE) file for details.\n","Claude Code Security Reviewer 是一个基于AI的GitHub Action,使用Anthropic的Claude工具来分析代码变更中的安全漏洞。其核心功能包括利用Claude的高级推理能力进行深度语义理解的安全分析、仅扫描PR中更改的文件、自动在PR上添加安全发现评论、支持多种编程语言,并通过先进的过滤机制减少误报。适用于需要自动化安全审查流程的开发团队,在合并请求阶段识别潜在的安全问题,尤其适合处理跨语言项目和希望提高代码安全性同时减少人工审核负担的场景。",2,"2026-06-11 03:40:35","high_star"]