Claude Code has a security vulnerabilities scanner.

It's pretty good, although it can be tricked.

And in one case, it even ran the code it suspected of being malicious proactively while it was investigating it.

This kind of mitigation only helps in situations that are not adversarial.

Where you wrote code that might have accidental gaps, not when you're verifying code that a potentially malicious party sent you.

It's very easy to use it in a dangerous way, giving you a false and actively misleading sense of security.