Claude Code Security is here. Here's what it still doesn't cover.
Anthropic just launched Claude Code Security — a research preview that finds complex vulnerabilities using semantic reasoning. It's impressive work. The right question isn't whether to use it. It's where it fits in your pipeline.
Claude Code Security is a deep audit layer. It is not pipeline infrastructure. The difference matters more than most teams realize — and it becomes visible the moment you trace what actually happens at each stage of your workflow.
Both tools have a job. They are not the same job.
What Claude Code Security actually does
Let's be accurate about this. Claude Code Security reads and reasons about your codebase the way a senior security engineer would. It doesn't match patterns — it understands context. That lets it catch vulnerabilities that pattern-matching tools structurally cannot: complex business logic flaws, broken access control, multi-step privilege escalation paths that only surface when you understand the full execution flow.
It runs multi-stage verification to filter false positives before findings reach your team. It assigns severity ratings. Everything surfaces in a dashboard for human review, and developers approve patches manually — nothing applies automatically. That is a deliberate design choice.
What this is designed for:
Auditing existing codebases for deep, context-dependent vulnerabilities. Finding what experienced security researchers find. Reducing the backlog of complex findings that neither automated scanners nor under-resourced teams have time to surface manually.
That is a real and significant capability. It is also, by design, an enterprise research preview. No CLI. No pre-commit integration. No CI/CD exit codes. The implications of those design constraints are exactly what this post is about.
The pipeline reality: security operates at four distinct stages
Most developers treat security tooling as a single category. It isn't. There are four distinct stages in a modern DevSecOps pipeline, each with different requirements, different failure modes, and different tools fit for the job.
| Stage | When it runs | Speed requirement | Tool fit |
|---|---|---|---|
| 1. Pre-commit | Before code enters history | < 3 seconds | CodeSlick CLI |
| 2. CI/CD gate | On every push, blocks merge | < 30 seconds | CodeSlick GitHub App |
| 3. PR review | During code review | < 2 minutes | CodeSlick GitHub App |
| 4. Deep audit | Periodic / on-demand | Minutes to hours | Claude Code Security |
Claude Code Security is designed for Stage 4. It cannot fulfill — and was not designed for — Stages 1, 2, or 3. Understanding why requires looking at what actually happens at the earlier stages.
What happens before Stage 4 — a real example
Here is a realistic Node.js/Express route. This is the kind of code that ships in production more often than most teams admit — particularly at the velocity that AI-assisted development now makes possible.
const express = require('express');
const router = express.Router();
const db = require('../db');
// Stripe API key — hardcoded for 'quick testing'
const STRIPE_SECRET = "sk_live_4eC39HqLyjWDarjtT1zdp7dc";
router.get('/users/profile', async (req, res) => {
const { userId } = req.query;
// Direct string concatenation — SQL Injection (OWASP A03:2025)
const query = "SELECT * FROM users WHERE id = '" + userId + "'";
const result = await db.query(query);
res.json(result.rows[0]);
});
module.exports = router;Two vulnerabilities. Both critical. Both caught by CodeSlick in under 3 seconds at pre-commit, before this file ever touches git history.
Line 5: Stripe live API key exposed in source code
Line 11: Unsanitized user input concatenated into query
Now consider the hardcoded Stripe key specifically. If this file gets committed, the key is in your git history permanently. Deleting the file and pushing a fix does not remove it from history. Anyone with read access to the repository — current or former — can retrieve it with a single git command. The only remediation is to invalidate the key at Stripe immediately and audit all downstream usage. That work begins the moment the commit lands.
Claude Code Security can find this key in your existing repository. It cannot prevent the key from entering history in the first place. That window — between writing and committing — belongs entirely to Stage 1, and it is the most consequential window in your entire pipeline.
The timing problem in plain language:
A deep audit layer finds vulnerabilities after they enter your codebase. A pre-commit gate prevents them from entering in the first place. For entire categories of vulnerability — secrets, hardcoded credentials, known injection patterns — prevention at commit time is structurally superior to detection after the fact. Not marginally. Categorically.
What Claude Code Security is not designed to do
These are not criticisms. They are design constraints — understood and accepted by Anthropic. Knowing them precisely is what lets you build the right stack.
No CLI integration
Cannot run as a pre-commit hook. Developers cannot block commits locally before code enters version history.
No CI/CD gate
Cannot generate pipeline exit codes. Cannot block a merge automatically. Requires human intervention at the dashboard stage.
No secrets detection
Not mentioned in the announcement. CodeSlick covers 38 secret patterns across Stripe keys, AWS credentials, GitHub tokens, and private certificates.
No malicious package detection
No dependency scanning against known-malicious packages. CodeSlick maintains a registry of 66+ packages cross-referenced with OSV.dev.
No SBOM output
No Software Bill of Materials generation (SPDX 2.3 / CycloneDX 1.4). Required for supply chain compliance in regulated environments.
Enterprise-only, research preview
Not available to individual developers or small teams today. Timeline to general availability is undefined.
How they fit together
A complete security posture requires coverage at all four pipeline stages. Claude Code Security covers Stage 4, and covers it well. Stages 1 through 3 require tooling built specifically for speed, automation, and pipeline integration.
Here is what that stack looks like end to end:
CodeSlick CLI + GitHub App
306 OWASP-mapped checks, secrets detection (38 patterns), malicious package registry, SBOM generation, pass/fail CI gates with configurable thresholds, sub-3s pre-commit blocking.
CodeSlick GitHub App
Automated PR annotation with inline findings, severity scoring, AI-powered fix suggestions, SARIF upload to GitHub Security tab for team visibility.
Claude Code Security
Semantic reasoning over the full codebase. Complex business logic analysis, broken access control detection, multi-step vulnerability chains that require understanding intent — the things that pattern-matching cannot reach.
These are not competing for the same role. Claude Code Security's launch does not make Stages 1–3 redundant — it validates that the industry is taking full-pipeline security seriously. Teams with the most mature posture will run both. The choice between them is not a choice at all.
The practical reality:
By the time Claude Code Security runs a deep audit on your codebase, every commit already in your history has bypassed the window where pre-commit detection mattered. The hardcoded key on line 5 is already in three developers' clone histories and potentially in your CI environment.
Infrastructure-layer security stops problems before they become history. Audit-layer security finds problems that already are.
The argument for having both is not subtle. Build the fast layer first — pre-commit, CI gates, PR automation. Then add the deep audit layer on top. Skipping the infrastructure layer and relying on periodic audits means your commit history accumulates risk faster than any audit can clear it.
What to do today
If you are waiting for Claude Code Security to reach general availability before investing in your security toolchain: that is not a security strategy. That is a gap with a specific shape — and it is accruing interest in your git history right now.
Add the CodeSlick pre-commit hook. It runs in under 3 seconds and blocks the commit before secrets or injection patterns enter your version history.
Install the CodeSlick GitHub App. Every PR gets annotated with OWASP-mapped findings, CVSS scores, and inline fix suggestions before merge.
Enable pass/fail thresholds. Set the conditions under which a build fails automatically — critical CVSS scores, specific CWE categories, or any detected secrets.
When Claude Code Security reaches your team, add it at Stage 4. Use it for the deep, context-dependent reasoning it is built for. The infrastructure underneath it should already be solid.
The goal is not to pick the best security tool. It is to have no uncovered pipeline stage. Claude Code Security is a meaningful addition to the landscape. It also assumes you already have the infrastructure layer running underneath it.
About CodeSlick: CodeSlick is a security-first code analysis platform with 306 OWASP-mapped checks across JavaScript, TypeScript, Python, Java, and Go. Available as a web tool, GitHub App, and CLI pre-commit hook. Free tier available with your own API key.
Cover Stages 1 through 3 today
CodeSlick runs at pre-commit and in your CI pipeline — stopping vulnerabilities before they enter history. 306 security checks, sub-3s scan time, 95% OWASP 2025 coverage. Free tier with your own API key.