We Love Claude

Claude Security

Claude's codebase security product — scans repos for vulnerabilities and proposes fixes.

Available on
Desktop Web New

What it is

Claude Security scans your codebase for vulnerabilities and proposes targeted patches. It’s built to find the things traditional scanners miss — issues that span multiple files, data flows across components, logic-level flaws that need context to spot.

It’s in research preview. Every finding is validated through multiple stages before it surfaces, with Claude arguing against its own conclusions to reduce false positives. When you’re ready to patch, you pivot from a finding directly into a Claude Code session to review and apply the fix.

Where to find it

Scans run against GitHub-hosted repositories you own. Reviewing a finding opens a Claude Code session for the fix.

How to use it

Run a scan

  1. Point Claude Security at a GitHub repo your company owns.
  2. It scans in parallel, tracing data flows across files.
  3. Each finding is verified and scored before it reaches you. New findings are flagged “new” in the console.

Read a finding

Every finding has a consistent shape:

  • title — one-line description.
  • impact — what an attacker could do.
  • file, line — where it originates.
  • description — the full technical story: data flow, why it’s exploitable.
  • exploit_scenario — concrete input-to-impact mapping.
  • preconditions — every condition that has to hold. An empty list means default-deployment exploitable.
  • category — e.g. sql_injection, path_traversal, ssrf.
  • severityHIGH, MEDIUM, LOW.
  • confidence — 0.0–1.0.
  • recommendation — outcome-based fix.

Pivot to a patch

  1. From a finding, open a Claude Code session.
  2. Claude proposes a fix. Review it.
  3. Apply, test, commit.

Good to know

  • Finding categories cover injection (SQL, command, code, XSS, XXE, ReDoS), path and network (traversal, SSRF, open redirect), auth and access (bypass, privilege escalation, IDOR/BOLA, CSRF, race conditions), memory safety, cryptography, deserialization, and protocol/encoding.
  • Severity is per-finding, not per-category. The same class of issue can be HIGH in one codebase and LOW in another depending on exploitability.
    • High — unauthenticated remote attacker, default deployment, no meaningful preconditions.
    • Medium — behind auth, or 1–2 realistic preconditions.
    • Low — 3+ preconditions, local-only, or no demonstrated path.
  • GitHub only today. Non-GitHub repositories aren’t supported.
  • Scans are non-deterministic. A real issue may not surface in every scan — run regularly.
  • Severity is not configurable today.
  • Model access — Mythos is limited to a small set of approved customers.
  • Scope of use. You may only scan code your company owns and has the rights to scan. Not for third-party or open-source code outside your own repos.

What’s changed recently

  • 2026-04-18 — Page created from official help-center article.

Related

Add from GitHub
Pull a GitHub repository or file into a chat as context.
Claude Code (CLI)
The terminal version of Claude Code — install, CLAUDE.md context files, plans, slash commands, and power-user tips.
Claude Code (desktop)
Claude's GUI for agentic coding — git-aware, worktree-aware, hooked into the same connectors as the rest of the app.
Claude Code (web)
Claude Code in the browser — agentic coding against GitHub repos on Anthropic-managed cloud infrastructure, no local install required.

Sources

Last verified 18 Apr 2026