Claude Code ships Security Guidance plugin: 30-40% fewer PR security comments

• Claude Code shipped a Security Guidance plugin through the /plugins marketplace, and ClaudeDevs' launch post says it is available to all Claude Code users.
• In a follow-up thread, ClaudeDevs' benchmark note said Anthropic saw a 30 to 40 percent drop in security-related comments on PRs opened with the plugin.
• According to ClaudeDevs' internal rollout note, the plugin is positioned as a lightweight first pass that catches issues before full code review.
• Teams can add their own policies in a claude-security-guidance.md file, which ClaudeDevs' rules post said can live in a repo or be distributed through MDM.

You can watch the launch demo in ClaudeDevs' post, open the security guidance docs, and the most interesting detail is that Anthropic framed the plugin less as a scanner and more as an always-on pre-review pass with org-specific rules layered on top.

Anthropic shipped the Security Guidance plugin as a marketplace install inside Claude Code. The launch post says every Claude Code user can add it from /plugins, which makes this a default workflow feature rather than a gated enterprise add-on.

The launch video attached to ClaudeDevs' demo post shows the product in action, which matters because Claude Code plugins have mostly been framed as capability add-ons. Here, the add-on is a policy layer aimed directly at code quality and security review.

The main performance claim came from Anthropic's own rollout. In ClaudeDevs' internal benchmark post, the team said PRs opened with the plugin drew 30 to 40 percent fewer security-related review comments.

The same post describes the plugin as a lightweight first pass before full review. That is a pretty specific product framing: catch obvious security issues while the code is still being written, then leave human review for everything that survives that pass.

Teams can extend the built-in checks with a claude-security-guidance.md file. According to ClaudeDevs' configuration post, that file can sit in the repository itself or be pushed to machines through MDM.

That turns the plugin into a distribution point for company-specific security rules, not just Anthropic's defaults. The linked security guidance docs are the canonical reference for how those policies get enforced alongside the built-in checks.