I don't rely on Claude Code as a sole security reviewer, but I use it as a fast first pass before code review. It catches a category of issues that are easy to miss when you're close to the code you wrote.
The prompt
At the end of any session touching auth, user input handling, or data access:
Review this code for security issues. Focus on: input validation, authentication bypass paths, data exposure risks, injection vulnerabilities, and insecure defaults. List specific issues with line references, not general advice.
The "not general advice" part matters. Without it, Claude produces a list of reminders that don't tell you anything about the actual code.
What Claude catches reliably
Missing input validation. User-supplied data used without sanitization. Claude spots this consistently.
SQL injection patterns. String concatenation in queries, unparameterized inputs — even in ORMs with raw query escape hatches.
Exposed sensitive fields. API responses returning password hashes, internal IDs, or fields that shouldn't leave the server.
Insecure cookie settings. Missing httpOnly, missing secure flag, missing sameSite. Easy to forget. Claude checks for them.
Hardcoded secrets. API keys, tokens, passwords in source. Flagged immediately.
What Claude misses
Business logic vulnerabilities. An authorization check that's technically correct but logically flawed — a user accessing another user's data through a valid API path — won't be caught without knowing the full data model and permission structure.
Race conditions. Time-of-check-to-time-of-use in concurrent code. Sometimes spotted, often missed.
Supply chain issues. What your dependencies do is outside Claude's scope.
Use it as one layer
Claude security review → peer code review → security testing. In that order.
Claude is fast and catches common issues. Peer review catches domain-specific logic issues. Testing validates both.
Treating Claude's review as the final word is the same mistake as treating any automated tool as the final word.
More Claude Code patterns: builtbyzac.com
Top comments (0)