Security Scanning with Claude Code

A penetration tester just handed your team a 47-page report. Eighteen findings, six rated critical. SQL injection in the admin API. Hardcoded JWT secret in a config file committed two years ago. An npm dependency three major versions behind with a known RCE. Your team spent four months building features and zero hours thinking about security. Now you have a deadline, a compliance audit next month, and no idea where to start. This does not have to be your story.

What You’ll Walk Away With

• A repeatable Claude Code workflow for scanning your codebase against the OWASP Top 10, identifying vulnerable dependencies, and detecting leaked secrets
• Copy-paste prompts that generate security middleware, input validation schemas, and Content Security Policy headers tailored to your application
• A CLAUDE.md security checklist that makes Claude Code enforce secure patterns on every code change

Whole-Codebase Security Audit

The first step is understanding your current exposure. Claude Code can read your entire project and produce a prioritized security assessment without any external tools.

Tip

Copy-paste prompt — full security audit:

Perform a security audit of this codebase. Check for: 1) SQL injection or NoSQL injection (string concatenation in queries), 2) XSS vulnerabilities (unsanitized user input rendered in HTML), 3) hardcoded secrets (API keys, passwords, JWT secrets in source files), 4) authentication bypasses (routes missing auth middleware), 5) insecure cryptography (MD5, SHA1 for passwords, weak random number generation), 6) missing security headers (CSP, HSTS, X-Frame-Options), 7) overly permissive CORS configuration. For each finding, show the file path, line number, severity (critical/high/medium/low), and a concrete fix.

Claude Code walks through your source files systematically. Because it has context on your entire project — middleware stack, route definitions, database queries, configuration files — it catches issues that static analysis tools miss, like an auth middleware that exists but is not applied to a specific route.

After the audit, prioritize fixes:

From the security findings you just identified, create a prioritized remediation plan. Group fixes by effort (quick wins under 30 minutes, medium fixes under 2 hours, architectural changes). Start implementing the quick wins now.

Dependency Vulnerability Scanning

Your node_modules folder contains code from thousands of maintainers. Claude Code can audit your dependency tree and generate an upgrade plan.

Tip

Copy-paste prompt — dependency audit and fix plan:

Run npm audit (or check package.json and lock file) and analyze the results. For each vulnerability: explain the risk in plain language, determine if our code actually uses the vulnerable code path, and recommend whether to upgrade, patch, or replace the dependency. Generate the npm commands to fix what can be fixed automatically, and create GitHub issues (as markdown files) for the ones that need manual migration.

The key value here is the “do we actually use the vulnerable code path” analysis. Most npm audit reports are noise — a vulnerability in a dev dependency’s test suite does not affect your production app. Claude Code can trace imports to determine real exposure.

For continuous scanning, add a pre-commit hook:

Create a Claude Code hook that runs on pre-commit. It should check any modified files for: 1) new hardcoded secrets (API keys, passwords, tokens), 2) new eval() or Function() calls, 3) new SQL string concatenation. If any are found, block the commit and print the finding.

Fixing OWASP Top 10 Vulnerabilities

Rather than generating a report and handing it off, use Claude Code to fix vulnerabilities in the same session.

Injection Prevention

Find all database queries in our codebase that use string concatenation or template literals instead of parameterized queries. For each one, rewrite it using parameterized queries with our ORM (Prisma/Drizzle/Knex). Show the before and after for each change.

Authentication Hardening

Tip

Copy-paste prompt — auth security review:

Review our authentication implementation. Check for: 1) password hashing algorithm (should be bcrypt or argon2, not MD5/SHA), 2) JWT token expiration (should be under 1 hour for access tokens), 3) refresh token rotation (old tokens should be invalidated), 4) brute force protection (rate limiting on login endpoint), 5) session fixation prevention. Fix any issues you find and add rate limiting middleware to the login route if missing.

Security Headers

Add a security headers middleware to our Express/Fastify app. Include: Strict-Transport-Security with max-age 1 year and includeSubDomains, Content-Security-Policy that allows scripts only from our domain plus any CDNs we use (check our HTML templates to find them), X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin. Remove the X-Powered-By header.

Secret Detection and Prevention

Secrets in source control are the most common and most preventable security issue. Claude Code can both detect existing leaks and prevent future ones.

Search the entire git history for committed secrets: API keys, database connection strings, JWT secrets, private keys, AWS credentials. Check .env files that may have been committed, config files with hardcoded values, and test fixtures with real credentials. For each finding, tell me which commit introduced it and whether the secret is still valid (present in the latest code). Then generate a .gitignore update and a pre-commit hook that blocks secret commits.

Caution

Claude Code can search your current files and git history for secrets, but it cannot revoke leaked credentials. If Claude finds a secret that was committed to a public repo, assume it has been compromised. Rotate it immediately, then clean the git history.

Input Validation as a System

Rather than validating input ad-hoc in each route handler, ask Claude Code to generate a validation layer.

Tip

Copy-paste prompt — validation schema generation:

Look at all our API route handlers and generate Zod (or Joi) validation schemas for every request body, query parameter, and URL parameter. Create a validation middleware that runs before the route handler and returns 400 with specific error messages on validation failure. Group the schemas in a src/validation/ directory organized by resource (users.ts, orders.ts, etc.). Include: email format validation, string length limits, enum constraints for status fields, and numeric range checks.

This is one of those tasks where Claude Code’s ability to read your entire route layer and generate consistent schemas saves hours of manual work. The schemas also serve as documentation for your API.

Encoding Security Standards in CLAUDE.md

The most impactful security improvement is making Claude Code enforce security patterns automatically. Add to your CLAUDE.md:

## Security Requirements

- Never use string concatenation in database queries. Always use parameterized queries or the ORM.
- All API routes must have authentication middleware unless explicitly marked as public in this list: /health, /ready, /api/auth/login, /api/auth/register
- Passwords must be hashed with bcrypt (cost factor 12) or argon2id. Never MD5 or SHA.
- All user input must be validated with Zod schemas before processing.
- Secrets must come from environment variables, never hardcoded.
- HTTP responses must include security headers (CSP, HSTS, X-Frame-Options).
- File uploads must validate MIME type and enforce a 10 MB size limit.
- Rate limiting must be applied to authentication endpoints (10 requests per minute per IP).

With these rules, when any developer on your team asks Claude Code to “add a new API endpoint for user profile updates,” the generated code automatically includes auth middleware, input validation, parameterized queries, and rate limiting.

When This Breaks

Claude flags a “vulnerability” that is actually safe. False positives happen, especially with complex authorization logic. If Claude identifies a route as missing auth but it is intentionally public, add it to the public routes list in CLAUDE.md and re-run the audit.

The dependency upgrade breaks your app. Claude Code can identify which version to upgrade to, but major version bumps often include breaking API changes. Ask Claude to “review the changelog for express@5 and identify all breaking changes that affect our codebase” before upgrading.

Security headers break your frontend. A strict CSP will block inline scripts and third-party resources your app depends on. Run your app with the new headers, open the browser console, and paste the CSP errors back into Claude Code: “These CSP violations are appearing in the console. Update the Content-Security-Policy to allow these specific sources while keeping everything else locked down.”

The validation layer rejects legitimate requests. Schema validation is only as good as the schemas. After deploying, monitor 400 responses and feed examples back to Claude Code: “This request body was rejected but it should be valid. Update the Zod schema to accept this format.”

What’s Next

Monitoring and Observability Add security-focused alerting to detect attacks in real time

CI/CD Pipeline Configuration Integrate security scanning into your CI pipeline so vulnerabilities are caught before merge

Testing Strategies Write security-focused tests including fuzzing and injection attempt coverage