NEW: Claude Code Security — research preview →

Security & Hardening

Protect your codebase and data

Threat Landscape

Claude Code Security (research preview, launched Feb 2026) uses contextual reasoning to find vulns that SAST tools miss.

✓ 500+ high severity vulns found across OSS projects
✓ Coverage: memory corruption, injection flaws, auth bypass
✓ Adversarial verification built-in
✓ Enterprise/Team plan only (free for OSS maintainers)

AgentShield Scanning

From everything-claude-code: automated security scanning with red-team verification.

$ npx ecc-agentshield scan --opus --fix

✓ 102 security rules across 5 categories
✓ Red-team + blue-team + auditor pipeline
✓ Output: A-F grade, JSON, Markdown, HTML
✓ Exit code 2 on critical (CI/CD gates friendly)
✓ GitHub Actions integration available

Daily Hygiene Checklist

Never run Claude Code as rootUse Docker/VM for isolation in productionAudit MCP configs monthlyKeep transcripts to 7-14 days maxReview managed-settings.json monthlyUse file system / network isolation

Best Practices

Configuration

• Use managed-settings.json (allow/ask/deny)
• Define Rules layer (~/ .claude/rules/)
• Create AGENTS.md for org policy
• Pin MCP server versions

Operations

• Regular security audits
• Team permission governance
• Incident response procedures
• Token budget monitoring