Scan Pending Changes for Security Issues with /security-review
The /security-review command analyzes your uncommitted changes for security vulnerabilities before you push. It reads the current git diff and produces a report organized by severity, with specific line references and remediation suggestions.
/security-review
Claude reviews the diff for common risks including:
- User input passed directly to SQL queries, shell commands, or file paths
- JWT or session handling mistakes and weak token validation
- Missing authorization checks on new endpoints or routes
- API keys, credentials, or secrets accidentally staged for commit
- Missing input validation on newly added form fields or request bodies
- Unsafe use of
eval,exec, or similar constructs
Running /security-review before opening a PR catches vulnerabilities that automated linters miss, since Claude reasons about the intent of code and not just its syntax. A linter cannot tell you that a new route is missing an auth guard. Claude can.
Pair it with /diff to visually browse the changes Claude is reviewing, so you can correlate the report with specific edits:
/diff
# browse the changes, then:
/security-review
For large changesets, you can also describe a specific area of concern:
/security-review focus on the new file upload endpoint
Add /security-review to your pre-push checklist and catch issues before they reach code review.
Log in to leave a comment.
Set up Claude Code as an automated reviewer in your CI pipeline — on every pull request, it reads the diff, checks for bugs, security issues, missing tests, and convention violations, then posts its findings as a PR comment. Your human reviewers get a head start because the obvious issues are already flagged before they look.
Before deploying, tell Claude to read your project — migrations, environment variables, queue workers, scheduled tasks, caching, third-party integrations — and generate a deployment checklist that's specific to your app. Not a generic "did you run migrations?" list, but one that knows YOUR infrastructure and catches the things YOUR deploy can break.
Instead of writing a README from memory or copying a template, tell Claude to read your project and generate one that's actually accurate — real setup instructions from your config, real architecture from your directory structure, real API examples from your routes, and real prerequisites from your dependency files.