Claude Code just got sharper. Anthropic has rolled out an always-on AI security review system that spots and fixes vulnerabilities automatically, with the company saying it is designed to ensure that code does not reach production without a baseline review.
Integrated into Claude Code, the feature scans for risks like SQL injection, cross-site scripting (XSS), and insecure data handling, flagging issues before deployment.
Always-on AI that catches bugs before they become breaches
The upgrade, which Anthropic says it uses to secure its own codebase, adds continuous automated security reviews directly into Claude Code’s workflow. Every new code change is assessed in real time, with the system identifying weaknesses as soon as they appear. The company described it as a constant watchtower, intended to intercept threats before they can be exploited.
Its scans target some of the most common and damaging vulnerabilities:
- SQL injection, where attackers slip malicious commands into database queries.
- Cross-site scripting (XSS), which can plant harmful scripts in web content.
- Authentication or authorization flaws that risk handing access to the wrong people.
It also checks for insecure data handling, like unsafe storage or transmission of sensitive information, and dependency vulnerabilities lurking in third-party libraries.
The AI system can be triggered on demand via a /security-review command or automatically for every new pull request through a GitHub Action. It posts inline comments on code changes, applies customizable rules to cut false positives, and integrates with existing CI/CD pipelines.
AI coding is booming, and so are its security risks
From side projects to production pipelines, AI-assisted coding has become widespread, with 92% of US enterprise developers at companies with more than 1,000 employees now using it, according to a GitHub survey.
But the convenience comes with a cost. A report from the Center for Security and Emerging Technology (CSET) found that nearly half of the AI-written code they tested showed signs of insecure practices. Separately, Veracode’s analysis found 45% of analyzed code samples failed standard security checks, introducing well-known flaws like those on the OWASP Top 10 list.
The consequences are already visible. In July, Wiz Research exposed a severe weakness in Base44, an enterprise vibe coding platform, that could have allowed an attacker to bypass authentication and create verified accounts. The vulnerability was patched in less than 24 hours, but the case highlighted how a single coding error in an AI-driven platform can put every application built on it at risk.
Attackers are also stepping up their game. According to cybersecurity data cited in industry reports, vulnerability-based breaches surged 124% year over year in the third quarter of 2024, with more than 22,000 new CVEs identified by midyear and an increasing number of zero-days appearing in active use. Many of those incidents exploited insecure code or weaknesses in development pipelines — exactly the kind of gaps automated review systems like Claude Code aim to shut down.
From writing code to protecting it
The fight over insecure code is part of a bigger battle, one where AI is fueling a wave of sophisticated attacks while also being turned into a weapon for defense to detect critical flaws before they are exploited. If that defensive edge grows, AI could one day tip the balance toward defenders.
Anthropic’s latest upgrade is among several initiatives intended to keep the technology driving today’s coding boom from becoming its biggest liability.
At Black Hat 2025, Microsoft shared how its security teams track and counter attacks as they happen, aiming to shut them down before they spread.
