Security Guidance Plugin

/plugin install security-guidance@claude-plugins-official

What is the Security Guidance Plugin?

The Security Guidance Plugin is an Anthropic-official Claude Code plugin that scans code on every file write, not just when you remember to ask. It registers a pre-tool-use hook on Write, Edit, and MultiEdit tool calls that checks proposed content for command injection, cross-site scripting, path traversal, and unsafe code constructs before the file lands on disk.

For developer-tools teams that want layered pre-commit coverage, this plugin pairs with the Code Review plugin: Security Guidance runs write-by-write, Code Review confirms the full diff before the pull request opens.

How does it work?

Claude Code fires registered hook scripts at specific lifecycle events. Security Guidance registers a pre-tool-use hook on file write events. When Claude attempts a file write, the hook runs against the proposed content before the write completes.

Hook architecture

The plugin’s hooks.json registers a Python script (security_reminder_hook.py) that:

1. Receives the file path and proposed content from Claude Code’s hook context
2. Scans the content for patterns matching known vulnerability categories
3. Returns a warning message if a pattern is detected, or exits cleanly if the content looks safe

Claude Code surfaces the warning in the session. Depending on your hook configuration, Claude can revise the code before retrying the write.

Detected pattern categories

Category	Example patterns flagged
Command injection	subprocess.call(user_input), os.system(f"cmd {var}")
XSS	innerHTML = userValue, unescaped template variables in HTML
Path traversal	../ sequences in file path parameters
Unsafe eval	eval(request.body), exec(input())
Insecure deserialization	pickle.loads(user_data) without source validation

Installation

/plugin install security-guidance@claude-plugins-official

After installation, the hook is active in all Claude Code sessions. No additional configuration is needed for the default warning-only mode.

When should you use it?

Use the Security Guidance plugin in any project that handles user input, builds web-facing endpoints, or processes untrusted data. Greenfield projects with no SAST tool in CI get immediate coverage without a pipeline integration. Teams that already run Semgrep, CodeQL, or Bandit in CI still benefit: the plugin catches issues before they hit the CI queue, avoiding wasted build cycles.

The plugin runs at the file write level, so it covers both Claude-generated code and code Claude edits from your instructions, which is the part of AI-assisted development where output can arrive faster than you can read it line by line.

Frequently asked questions

Does the Security Guidance plugin add latency to file writes?

The hook script is a local Python file scan, not an API call. For typical file sizes under 500 lines, it runs in milliseconds with no perceptible delay. Very large generated files of 5,000 or more lines may add a fraction of a second. No code is transmitted to an external service.

Can I customize the vulnerability patterns the plugin checks?

The default pattern set is defined in security_reminder_hook.py. Fork the plugin or edit the script after installation. The Anthropic plugin system does not currently support per-project config files for this plugin, so customization means editing the hook script directly in your Claude Code plugins directory.

Will the plugin catch all security vulnerabilities in my code?

No. It detects common patterns using string and AST-level heuristics, not full semantic analysis. Complex injection patterns, business-logic vulnerabilities, and issues that require runtime context will be missed. Treat it as a first-pass filter, not a replacement for a dedicated SAST tool, security code review, or penetration testing.