To try it out, run: ``` /plugins marketplace add anthropics/claude-code /plugin install security-guidance ```

Check out the security-guidance plugin that I worked on in this launch! It automatically injects security guidance if Claude uses potentially dangerous libraries or functions. This is an early experiment, but we already have data showing this helping Claude write more secure code

Today we’re introducing Claude Code Plugins in public beta. Plugins allow you to install and share curated collections of slash commands, agents, MCP servers, and hooks directly within Claude Code.

We’re at an inflection point in AI’s impact on cybersecurity. Claude now outperforms human teams in some cybersecurity competitions, and helps teams discover and fix code vulnerabilities. At the same time, attackers are using AI to expand their operations.

Got nerdsniped by the new Claude Code security review tool, here’s a deep dive: @AnthropicAI implemented their own SAST tool as a Python wrapper around the @claudeai API. It can run locally (in CC) or within Github actions to focus on PRs. Tests I ran: 1. It found Heartbleed!

Particularly excited for this launch — Claude Code can now review your code for security vulnerabilities. We're using this internally at Anthropic and it's already caught issues before we shipped them.

this started as a hackathon project that we used ourselves to find vulns! In the next 2 years, the world might 10/100/1000x the code it puts out. The only way to keep up is by using models to make it secure before it ever becomes a problem

I'm super proud to have worked on this launch! It started as a hackathon project and now we're here 🎉

Excited to present Security Signals with @ddworken and @we1x, my primary project at Google for the past five years. Thanks, @madwebwork! Paper: https://t.co/8d6V5HaYHE Slides:

"This blog post aims to provide a detailed blueprint for how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities." https://t.co/7TsK8ZFRrO

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post: https://t.co/Iq19llnlEj cc: @ddworken

This is one of my favorite things about Google's security team, getting to work on security exercises like this is unimaginably exciting

Celebrating 15 years of password hacking 💻 🔑, Swiss Army knives (and sometimes even chainsaws or swords) included! 😲 Discover how Google's security teams turn employee farewells into security tests. https://t.co/Mapn7Nrs78

My @LocoMocoSec keynote slides on "Google's Recipe for Scaling (Web) Security" are online now: https://t.co/0CaClh0lX0

Day 2 @LocoMocoSec starting with @Google's Principal Information Security Engineer Artur Janc and Staff Information Security Engineer David Dworken! 🌟 @arturjanc @ddworken Join us: https://t.co/nNXe6VlujA

🎉 Register now to see @Google's Principal Information Security Engineer Artur Janc and Staff Information Security Engineer David Dworken present their talk "How Blocking Third-Party Cookies Can Fix the Web's Security Model" @LocoMocoSec! 🌟 @arturjanc @ddworken

"To understand the full impact of this, we can also look at our overall security feature coverage, where we can see statistics such as 96% of our most sensitive services enforcing CSP, and 80% of our most sensitive services enforcing Trusted Types" https://t.co/kmuiwz2MGG

How we scale web security at Google to address XSS and other common web security issues: https://t.co/N8rQSZlEmh

Are you interested in learning more about "Securely Hosting User Data in Modern Web Applications"? See our latest blog post for details! https://t.co/HK12srLfey

Today, we're open sourcing a log4j JAR scanner. Throw it at a filesystem, detect vulnerable JARs, and even rewrite them in place. Includes a Go API to import the JAR parsing for other applications. https://t.co/TWC4SJFm3p