Awesome Claude Code Security

A curated collection of security resources, hardening tools, threat research, and governance frameworks for Claude Code and the AI coding agent ecosystem.

For security engineers, AppSec teams, platform engineers, and anyone deploying Claude Code in production.

Official Docs · Hardening · MCP Security · Tools · Enterprise · Research

---

Why this list? Claude Code runs shell commands, edits files, calls APIs, and installs MCP servers — all with your user privileges. One malicious .claude/settings.json, a poisoned MCP tool, or a prompt injection hidden in a README can lead to RCE, credential theft, or silent data exfiltration. This list exists to help you harden, govern, and monitor every surface.

---

Contents

• 📋 Official Security Documentation
• 🔒 Hardening and Permissions
• 📦 Sandboxing and Isolation
• 🪝 Hooks and Guardrails
• 🔌 MCP Security
• 💉 Prompt Injection and Agent Threats
• 🔑 Secrets and Data Leakage
• 🏢 Enterprise Governance and Policy
• ⚙️ Secure CI/CD and Automation
• 📦 Plugins, Extensions, and Supply Chain
• 🤖 Agent Orchestration and Loop Safety
• 🖥️ OS and Endpoint Hardening
• 🛠️ Security Tools and Scanners
• 🐛 Vulnerability Research and Disclosures
• 📐 Frameworks and Standards
• 📚 Research, Talks, and Writeups
• 🔄 Competitor and Adjacent Controls
• ✅ Checklists and Templates
• 🌐 Community and Ecosystem

---

📋 Official Security Documentation

Core security documentation published by Anthropic.

• Security Overview - Architecture reference covering permission model, sandboxing, prompt injection defenses, and privacy safeguards.
• Configure Permissions - Tiered Allow/Ask/Deny system with tool-specific rules, wildcard patterns, and precedence evaluation.
• Sandboxing - Filesystem and network isolation using Linux bubblewrap and macOS Seatbelt with domain restrictions.
• Hooks Reference - PreToolUse, PostToolUse, and ConfigChange hook events for security automation.
• Hooks Guide - Practical patterns: permission enforcement, injection detection, audit logging.
• Settings - Hierarchical config scopes (Managed > CLI > Local > Project > User) and sensitive file protection.
• Authentication - Credential management, secure storage, apiKeyHelper, and enterprise SSO.
• Data Usage - Retention policies, TLS + AES-256 encryption, telemetry, and training opt-out.
• Zero Data Retention - Enterprise immediate data deletion with HIPAA BAA coverage.
• Monitoring and Usage - OpenTelemetry integration for session tracking, token usage, and audit trails.
• MCP Configuration - MCP server setup, OAuth 2.0, scope hierarchy, enterprise allowlists/denylists.
• Claude Code on the Web - Cloud execution: isolated VMs, network proxies, git push restrictions, domain allowlists.
• Amazon Bedrock Integration - IAM policies, AWS Guardrails, credential management, model version pinning.

Anthropic Engineering & Blog

• Claude Code Security Features - Vulnerability detection: codebase scanning, multi-stage verification; found 500+ vulnerabilities in production code.
• Making Claude Code Secure and Autonomous - Engineering deep dive on filesystem isolation, network proxy, OS-level enforcement, credential exfiltration defense.
• Automate Security Reviews with Claude Code - Using Claude Code Security as an automated reviewer in CI pipelines.

🔒 Hardening and Permissions

Configs, frameworks, and guides for locking down Claude Code.

• Trail of Bits claude-code-config - Opinionated production defaults from a top security firm: sandboxing, permissions, hooks, skills, MCP server configs. The gold standard for secure setups.
• claude-code-security - Progressive hardening framework covering agent config protection, hooks, runtime security, injection prevention, and supply chain controls.
• everything-claude-code - Performance optimization system with security components: skills, instincts, memory, and research-first development patterns.
• Claude Code Ultimate Guide - Comprehensive documentation with production-ready templates including security hardening configs.
• Hardening Claude Code: Security Review Framework - Security review methodology with a ready-to-use audit prompt.
• StepSecurity: Securing Claude Code in GitHub Actions - Harden-Runner integration for network monitoring and tamper-proof logs in CI.
• Cycode: Anthropic Claude Code Security & AppSec - Analysis of Claude Code's security model from an AppSec vendor perspective.
• Snyk: Why Claude Code Security Is Great News - Industry analysis of Anthropic's security capabilities and what they mean for secure development.

📦 Sandboxing and Isolation

Isolating AI agent code execution from your host system.

• Arrakis - Self-hosted MicroVM sandbox for AI agents with backtracking, REST API, Python SDK, and Firecracker-based isolation.
• microsandbox - Open-source self-hosted MicroVM sandboxes with sub-200ms startup, hardware-level isolation via libkrun. ~3.3k stars.
• agent-infra/sandbox - All-in-one Docker sandbox for AI agents: browser, shell, file, MCP, and VS Code server in a container.
• sandbox-agent (Rivet) - Run Claude Code and other coding agents in sandboxes controlled over HTTP.
• codeduet-microvm-ai-agent-sandbox - MicroVM sandbox using Cloud Hypervisor with Linux and Windows guest support and hardware-level isolation.
• Kubernetes agent-sandbox - Kubernetes CRD for declarative sandbox management with persistent identity for AI agents.
• SWE-ReX - Sandboxed shell environments for AI code agents with parallel execution and cloud deployment support.
• awesome-sandbox - Curated list of code sandboxing solutions for AI, comparing isolation approaches.
• How to Sandbox AI Agents in 2026 - Technical comparison: MicroVMs vs gVisor vs hardened containers for agent isolation.
• Best Code Execution Sandbox for AI Agents - Ranked comparison of sandbox platforms with security/performance tradeoffs.

🪝 Hooks and Guardrails

Hook systems and runtime enforcement for Claude Code.

• claude-code-safety-net - Plugin intercepting destructive git/filesystem commands before execution. Semantic argument parsing distinguishes safe from dangerous operations.
• Lasso claude-hooks - Prompt injection defense hooks: scans files, web fetches, and command output in real-time. Detects 50+ injection patterns in READMEs, HTML comments, and docs.
• claude-code-hooks-mastery - Advanced hook patterns and techniques for Claude Code security automation.
• claudekit - Toolkit of custom commands, hooks, and security utilities for Claude Code.
• claude-code-hooks-multi-agent-observability - Real-time monitoring for multi-agent Claude Code sessions via hook event tracking.
• claude-code-showcase - Comprehensive project configuration example with hooks, skills, agents, commands, and GitHub Actions workflows.
• NeMo Guardrails - NVIDIA's toolkit for programmable LLM guardrails with Colang language for dialog flow control. ~4.5k stars.

🔌 MCP Security

Securing the Model Context Protocol ecosystem.

Scanners and Auditors

• Snyk agent-scan - Professional security scanner for AI agents, MCP servers, and skills covering 15+ risk categories.
• mcp-scan (Invariant Labs) - MCP security scanner with proxy mode for real-time scanning without infrastructure changes.
• Cisco MCP Scanner - Cisco's scanner for detecting threats and security findings in MCP servers.
• MCP Security Scanner (SARIF) - Static + dynamic checks for path traversal, auth gaps, prompt injection. Outputs SARIF for GitHub code scanning.
• AWS MCP Security Scanner - Integrates Checkov, Semgrep, and Bandit for comprehensive code security analysis via MCP.
• SecureMCP - Audit MCP for OAuth leaks, prompt injection, rogue servers, and tool poisoning.
• mcpserver-audit - Pre-use safety examination tool with vulnerability database.
• MCP Security Audit (npm) - Audits npm dependencies in MCP servers for known vulnerabilities via registry.

Gateways and Proxies

• Microsoft MCP Gateway - Reverse proxy for MCP servers in Kubernetes with OAuth 2.0 (Azure Entra ID), RBAC, and session-aware routing.
• Hypr MCP Gateway - OAuth proxy with dynamic client registration, prompt analytics, and MCP firewall for enterprise-grade servers.
• Secure MCP Gateway (Enkrypt) - Admin-level gateway with guardrails at each MCP server to block injection, exfiltration, and unauthorized access.
• Lasso MCP Gateway - Plugin-based gateway that intercepts and sanitizes sensitive information across MCP orchestration.
• IBM ContextForge - Open-source registry and proxy federating MCP/A2A/REST APIs with centralized governance and discovery.
• awesome-mcp-gateways - Curated list of MCP gateway products and solutions.

Standards and Checklists

• MCP Server Security Standard (MSSS) - Open, testable certification standard with compliance levels and evidence requirements.
• MCP Security Checklist (SlowMist) - Comprehensive checklist: input validation, rate limiting, RBAC, credential management, container hardening.
• awesome-mcp-security - Curated collection of MCP vulnerabilities, articles, tools, and best practices. ~660 stars.
• spring-ai MCP Security - Authorization framework for MCP client/server using Spring Security.

Research

• Pillar Security: MCP Security Risks - Threat analysis: tool poisoning, rug pulls, credential theft, cross-server manipulation.
• Invariant Labs: Tool Poisoning Attacks - Agent hijacking via malicious tool descriptions, WhatsApp exploit, "Rug Pull" mutation attacks.
• Simon Willison: MCP Prompt Injection - Practical analysis of confused deputy attacks in MCP tool integrations.
• Invariant Labs: GitHub MCP Vulnerability - Exploiting MCP to access private GitHub repositories.
• Netskope: Invisible Backdoors in MCP - Hidden backdoor mechanisms in MCP server implementations.
• Systematic Analysis of MCP Security (arXiv) - Academic systematic analysis of MCP security threats and defenses.
• MCPTox: Benchmark for Tool Poisoning (arXiv) - Academic benchmark for evaluating tool poisoning attacks on real-world MCP servers.

💉 Prompt Injection and Agent Threats

Attacks and defenses for AI coding agents.

Claude Code Specific

• Caught in the Hook: RCE via Claude Code Project Files - Check Point: three critical CVEs — RCE via MCP config, RCE via hooks, and API key harvesting.
• Lasso claude-hooks - Real-time prompt injection detection for Claude Code: 50+ patterns across files, web fetches, and docs.

Tools and Frameworks

• promptfoo - CLI for red-teaming LLM apps. Adaptive attack generation, CI/CD integration. Used by Shopify, Discord, Microsoft. ~6k stars.
• Garak - NVIDIA-backed red-teaming toolkit: 37+ probe modules for injection, jailbreaks, encoding bypasses, data extraction. Apache 2.0.
• PyRIT (Microsoft) - Python Risk Identification Tool for generative AI. Enterprise red-teaming framework for Azure environments.
• Rebuff (Protect AI) - Multi-layered prompt injection detection: heuristics, LLM analysis, vector DB of known attacks, canary tokens.
• HouYi - Automated prompt injection testing framework for LLM-integrated applications.
• Open-Prompt-Injection - Academic benchmark with DataSentinel and PromptLocate defenses.
• promptmap - Security scanner for custom LLM apps. White-box and black-box prompt injection testing.
• awesome-prompt-injection - Curated resource on prompt injection vulnerabilities in ML models.
• tldrsec/prompt-injection-defenses - Every practical and proposed defense against prompt injection, maintained by tl;dr sec.

Research

• OWASP LLM01:2025 Prompt Injection - Canonical definition and threat model. The #1 risk in 73% of production AI deployments.
• DEF CON 33 / Black Hat 2025: AgentFlayer - Zenity research: 0-click attacks on enterprise AI assistants including Copilot and Gemini.

🔑 Secrets and Data Leakage

Preventing credential exposure, data exfiltration, and transcript leakage.

Prevention Tools

• TruffleHog - Find, verify, and analyze leaked credentials. 800+ secret types, live verification. Essential for pre-commit scanning in AI workflows. ~18k stars.
• Gitleaks - Fast secrets scanner using regex and entropy. High precision, low false positives. ~19k stars.
• ggshield (GitGuardian) - Detect 500+ secret types with advanced validation. Pre-commit hooks, CI integration, and real-time scanning.
• LLM Guard (Protect AI) - Input/output security toolkit: PII detection, toxicity filtering, secrets scanning for LLM interactions. ~4k stars.
• ml-model-data-leak-layer - PII leak detection in LLM-generated content using ML and regex patterns.
• GitHub Secret Protection - Push protection with AI-powered detection. Enabled by default on public repos since 2024.

Claude Code Specific

• Data Usage and Privacy - Official data flows: retention policies, encryption, telemetry controls, training opt-out.
• Zero Data Retention - Enterprise immediate data deletion post-session with HIPAA BAA.
• Sensitive File Protection - Configure deny patterns for .env, credentials, SSH keys to prevent Claude Code access.
• CVE-2026-21852: API Key Harvesting - Demonstrated API key extraction from Claude Code sessions via crafted project files.

🏢 Enterprise Governance and Policy

Rolling out Claude Code securely across teams and organizations.

• Managed Settings - Enterprise-enforced config: managed policies override all scopes, controlling permissions, sandboxing, MCP.
• Monitoring and Audit - OpenTelemetry audit trails: session tracking, token usage, cost metrics, multi-team support.
• Authentication and SSO - SAML 2.0, OIDC, enterprise credential management, identity provider integration.
• Microsoft Agent Governance Toolkit - Zero-trust policy enforcement, identity management, execution sandboxing. Covers OWASP Agentic Top 10.
• GitHub Enterprise AI Controls - GA agent control plane: MCP allowlists, audit logs, RBAC, session monitoring for Copilot.
• GitHub AI Governance Framework - Creating organizational AI policy and governance for coding assistants.
• IBM + Anthropic Enterprise Partnership - Enterprise governance integration with IBM security and compliance capabilities.
• NVIDIA Safety for Agentic AI - Blueprint for improving safety, security, and privacy at build, deploy, and run stages.
• Claude Enterprise Deployment Guide - Enterprise security configurations and deployment controls explained.

⚙️ Secure CI/CD and Automation

Running Claude Code safely in pipelines and automated workflows.

• claude-code-action - Official GitHub Action for CI/CD. v1.0: auto mode detection, interactive + automation modes.
• claude-code-security-review - Official AI-powered security review Action for PRs. OWASP-aligned analysis, found vulnerabilities in Claude Code itself.
• GitHub Actions Docs - Official reference for Claude Code in GitHub Actions: triggers, configuration, permissions.
• StepSecurity Harden-Runner - Network monitoring and tamper-proof audit logs for Claude Code Actions — critical since claude-code-action has unrestricted network access.
• CLAUDE.md CI/CD Wiki - Community patterns for CLAUDE.md configuration in CI/CD pipelines.
• Claude Code Headless Mode - Non-interactive --print and -p flags for scripted security workflows and automation.

📦 Plugins, Extensions, and Supply Chain

Managing trust and risk in the Claude Code plugin ecosystem.

• Plugin Discovery & Trust Model - Official plugin marketplace: trust considerations, managed restrictions, organizational controls.
• claude-plugins-official - Anthropic's official managed plugin directory.
• claude-code-safety-net - Supply-chain safety plugin: intercepts destructive commands before execution.
• MCP Server Security Standard - Certification framework for MCP servers with compliance levels and evidence schemas.
• awesome-claude-code-plugins - Curated list of slash commands, subagents, MCP servers, and hooks.
• Trail of Bits Skills - Security research skills for Claude Code: vulnerability detection and audit workflows from Trail of Bits.
• Sonatype Guide MCP - Software supply chain intelligence: dependency vulnerability analysis and secure version recommendations.

🤖 Agent Orchestration and Loop Safety

Multi-agent workflows, sub-agents, and automated loop security.

• claude-code-hooks-multi-agent-observability - Hook-based monitoring for multi-agent Claude Code sessions.
• awesome-ai-agents-security - Living map of the AI agent security ecosystem covering orchestration risks.
• Microsoft Agent Governance Toolkit - Zero-trust execution for multi-agent workflows with cross-agent policy enforcement.
• OWASP Top 10 for Agentic Applications - 2026 standard: agent goal hijacking, tool misuse, identity abuse, delegation risks.
• NVIDIA Safety for Agentic AI - Build/deploy/run safety patterns for agentic architectures.
• Fortune: AI's Triple Act at Black Hat/DEF CON - Coverage of agent-to-agent interaction risks and shadow AI attack surfaces.

🖥️ OS and Endpoint Hardening

Platform-specific security for Claude Code workstations.

• macOS Seatbelt Profiles - How Claude Code uses Seatbelt for filesystem and network isolation on macOS.
• Linux Bubblewrap Isolation - Bubblewrap process isolation for Claude Code on Linux.
• Sensitive File Deny Patterns - OS-appropriate deny rules for credential files, SSH keys, cloud configs.
• VS Code Security Integration - Restricted Mode, trust verification, auto-edit risks, third-party provider controls.

🛠️ Security Tools and Scanners

Tools for auditing, scanning, and testing Claude Code and its ecosystem.

Claude Code Specific

• claude-code-security-review - Official Anthropic GitHub Action for AI-powered security review of PRs.
• Snyk agent-scan - Professional scanner: AI agents, MCP servers, skills. Auto-discovers and validates across 15+ risk categories.
• Trail of Bits Skills - Claude Code skills for security research, vulnerability detection, and audit workflows.
• Claude Code Security Auditor - Pattern for device-level security audits using Claude Code.

MCP Scanners

• mcp-scan (Invariant Labs) - MCP scanner with proxy mode for real-time connection monitoring.
• Cisco MCP Scanner - Enterprise-grade threat detection for MCP servers.
• MCP Security Scanner (SARIF) - Static + dynamic analysis with GitHub code scanning integration.
• AWS MCP Security Scanner - Integrates Checkov + Semgrep + Bandit via MCP server interface.

LLM Security Toolkits

• LLM Guard (Protect AI) - Input/output validation, PII detection, toxicity filtering, secrets scanning. ~4k stars.
• NeMo Guardrails (NVIDIA) - Programmable guardrails with Colang for dialog flow control and vulnerability scanning. ~4.5k stars.
• promptfoo - Red-team LLM apps: adaptive attacks, CI/CD integration, declarative configs. ~6k stars.
• Garak (NVIDIA) - Generative AI red-teaming: 37+ probes, 23 backends, prompt injection to data extraction.
• PyRIT (Microsoft) - Enterprise red-teaming for generative AI in Azure environments.
• Vigil - Detect prompt injections, jailbreaks, and risky LLM inputs.
• Langfuse Security & Guardrails - Observability platform with built-in security and guardrail integrations.

Secrets Scanners

• TruffleHog - 800+ credential types with live verification. Scans Git, filesystems, cloud storage. ~18k stars.
• Gitleaks - Regex + entropy secrets detection. Fast, accurate, minimal false positives. ~19k stars.
• ggshield (GitGuardian) - 500+ secret types with pre-commit and CI integration.

🐛 Vulnerability Research and Disclosures

Published CVEs, exploits, and security research on Claude Code.

• CVE-2025-59536: MCP Configuration RCE - Check Point: remote code execution via malicious MCP configuration in .claude/settings.json.
• CVE-2025-59356: Hooks-Based RCE - Check Point: RCE through malicious hooks in project settings files.
• CVE-2026-21852: API Key Harvesting - Check Point: API key extraction from Claude Code sessions via crafted project files.
• Dark Reading: Flaws Put Developer Machines at Risk - Coverage of Check Point findings and implications for developer workstations.
• The Hacker News: Claude Code RCE and Key Exfiltration - Technical breakdown of exploitation chains.
• SecurityWeek: Developer Devices Exposed - Analysis of silent attack vectors in Claude Code project files.
• HackerOne: Report Claude Code Vulnerabilities - Official responsible disclosure channel.

📐 Frameworks and Standards

Industry frameworks applicable to AI coding agent security.

• OWASP Top 10 for LLM Applications (2025) - Industry standard for LLM security risks. Prompt injection is #1.
• OWASP Top 10 for Agentic Applications (2026) - Peer-reviewed by 100+ researchers: goal hijacking, tool misuse, identity abuse, supply chain.
• OWASP AI Vulnerability Scoring System (AIVSS) - Standardized framework for scoring AI-specific security vulnerabilities.
• OWASP AI Security Verification Standard (AISVS) - Structured checklist for verifying AI application security.
• OWASP AI Exchange - 300+ page reference on AI threats and controls.
• MCP Server Security Standard - Certification framework for MCP server security compliance.
• NIST AI Risk Management Framework - Federal guidance on AI risk management.
• MITRE ATLAS - Adversarial Threat Landscape for AI Systems — knowledge base of adversary tactics and techniques.
• Agentic AI Top 10 Vulnerability (CSA/OWASP) - Community documentation for OWASP/CSA red teaming work.

📚 Research, Talks, and Writeups

High-quality security research, conference material, and technical analysis.

Conference Material

• Black Hat USA 2025: AI Security Crossroads - Comprehensive takeaways on agentic AI offense/defense.
• DEF CON 33: AgentFlayer Attacks - 0-click attacks on enterprise AI assistants. 174 vulnerabilities reported, 22 CVEs.
• Black Hat/DEF CON: AI Offense vs Defense - Analysis: AI more useful for defense than hacking — but agent attacks are accelerating.

Technical Research

• Trail of Bits AI/ML Security - Professional AI security assessment methodology: root cause analysis over checklists.
• Trail of Bits Publications - Archive of security research papers and presentations.
• Trail of Bits awesome-ml-security - Curated ML security references, tools, and guidance.
• LLM Security Guide - Comprehensive reference: OWASP GenAI Top-10, prompt injection, real-world incidents, defense catalogs.
• AI Red-Teaming Guide - Adversarial testing and security evaluation methodology for AI systems.
• Awesome LLMSecOps - LLM Security Operations: tools, frameworks, and operational guidance.

Vendor Research

• VentureBeat: Claude Code Security Wakeup Call - Industry impact analysis of Anthropic's security capabilities.
• CSO Online: Industry Wakeup Call - Why Claude Code Security changes the AppSec landscape.
• DataDome: MCP Prompt Injection Prevention - Practical guide to stopping prompt injection in MCP deployments.
• Lares: OWASP Agentic Top 10 in the Wild - Real-world threat examples mapped to OWASP Agentic categories.

🔄 Competitor and Adjacent Controls

How other AI coding tools handle security — useful for comparison and gap analysis.

• GitHub Copilot Agent Control Plane - Enterprise AI controls: MCP allowlists, audit logs, RBAC, session monitoring. GA Feb 2026.
• GitHub Agentic Security Principles - Autonomy limits, access controls, code scanning, agent governance.
• Microsoft Agent Governance Toolkit - Zero-trust agent framework: policy enforcement, identity, sandboxing.
• Google MCP Security Servers - Security Operations and Threat Intelligence MCP servers.
• Contrast Security MCP - Application security vendor MCP integration for vulnerability remediation.
• Palo Alto + NeMo Guardrails - AI Runtime Security integration with enterprise guardrails.

✅ Checklists and Templates

Ready-to-use security checklists, policy templates, and configuration references.

• Trail of Bits claude-code-config - Production-ready config templates from security experts. Start here.
• SlowMist MCP Security Checklist - Input validation, rate limiting, RBAC, credential management, container hardening.
• MCP Server Security Standard - Testable compliance checklist with evidence schemas.
• OWASP AISVS Checklist - Verification standard for AI application security.
• claude-code-security - Progressive hardening checklist: agent config → hooks → runtime → injection → supply chain.
• claude-code-safety-net Rules Reference - Custom rules reference for defining safe/dangerous command patterns.

🌐 Community and Ecosystem

Related lists, communities, and ecosystem resources.

• awesome-claude-code - Comprehensive Claude Code resource: skills, hooks, plugins, applications.
• awesome-mcp-security - MCP security vulnerabilities, articles, and best practices. ~660 stars.
• awesome-ai-agents-security - Living map of the AI agent security landscape.
• awesome-llm-security - LLM security tools, documents, and research.
• awesome-ai-security - Broad AI security resources: offensive, defensive, governance.
• awesome-mcp-servers - MCP server directory for the ecosystem.
• awesome-claude-code-plugins - Curated Claude Code plugins list.
• awesome-cybersecurity-agentic-ai - Cybersecurity + agentic AI resources.
• Awesome LLM Agent Security - Agent-specific attacks, vulnerabilities, exploitation techniques.
• awesome-ml-security (Trail of Bits) - ML security from a leading research firm.

---

Star History

---

Contributing

Contributions welcome! Please read the contribution guidelines first.

This is a curated list — quality over quantity. See the inclusion criteria before submitting.

License

This work is licensed under a Creative Commons Attribution 4.0 International License.