The Claude Code security checklist
Claude Code can make broad, confident changes. Run through this checklist after a Claude Code session, and automate it so every change gets the same independent check.
1 repo · setup in about 5 minutes · no card, no commitment
01
Secrets and access
Confident code can still leak or skip a check. Verify:
- No keys or tokens written into source or reachable routes
- Every sensitive endpoint requires authentication and authorization
- Admin and internal paths are not reachable without a session
02
Dependencies
Claude Code may add libraries to satisfy a task. Verify:
- Every new dependency exists upstream (no hallucinated packages)
- No typosquatted or slopsquatted names
- No known-vulnerable or abandoned packages
03
Tests and behavior
Plausible changes need proof. Verify:
- Tests prove behavior rather than just passing
- New paths and error handling are covered
- Nothing regressed silently in code Claude Code touched
04
Runtime and context
Some risk only appears at runtime, and CLAUDE.md can drift. Verify:
- A changed route still behaves safely in the running app
- Your CLAUDE.md still matches the real repo so the next session works from truth
05
Automate it
Independent verification beats self-review. Enji Guard audits the repo and the running app after Claude Code changes, keeps CLAUDE.md honest, and returns reviewable GitHub issues or pull requests.
Quick questions
Why audit Claude Code's output if it is already careful?
Independent verification catches what self-review misses. The same model that wrote the code shares its blind spots; a separate auditor with different runbooks does not. The first audit is free.
Can Guard run this automatically?
Yes. Connect the repo and Guard re-audits on a schedule, so every Claude Code change gets the same check and CLAUDE.md stays aligned with the code.
Verify what Claude Code wrote, automatically.
Connect a repo and Guard audits every change. No card.
Enji Guard