Static analyzers catch the patterns they were taught and then bury the signal under false positives. This tool takes the opposite bet: hand Claude the pull request diff and let it reason about whether a change is actually exploitable in context, not just whether it matches a known-bad shape. The payoff is fewer "technically a finding" comments and more that a reviewer would actually act on.
What Sets It Apart
- Reasons over the diff semantically instead of grepping for signatures, so it surfaces logic-level issues — auth bypass, privilege escalation, unsafe deserialization — that rule sets miss, while skipping risky-looking constructs that aren't reachable.
- Posts findings as inline PR comments with severity and a why/how-to-fix note, so security context lands where the code is read rather than in a separate dashboard.
- Ships two ways: a GitHub Action that scans only the changed files on each PR, and a
/security-reviewslash command for Claude Code, so the same engine works in CI and at the desk. - Filtering is opinionated — it drops whole classes by default (DoS, rate limiting, generic input validation without proven impact, open redirects) and the exclusions are configurable.
Great Fit If / Look Elsewhere If
Great fit if you want a reviewer-grade second pass on changed code and care more about actionable findings than exhaustive coverage. Look elsewhere if you need a hardened gate on untrusted contributions: it isn't built to resist prompt injection, so Anthropic recommends restricting it to trusted PRs. It also reviews diffs, not whole repositories, so pre-existing debt outside the change goes unflagged.