The Claude Code security checklist

Claude Code can make broad, confident changes. Run through this checklist after a Claude Code session, and automate it so every change gets the same independent check.

1 repo · setup in about 5 minutes · no card, no commitment

01

Secrets and access

Confident code can still leak or skip a check. Verify:

  • No keys or tokens written into source or reachable routes
  • Every sensitive endpoint requires authentication and authorization
  • Admin and internal paths are not reachable without a session

02

Dependencies

Claude Code may add libraries to satisfy a task. Verify:

  • Every new dependency exists upstream (no hallucinated packages)
  • No typosquatted or slopsquatted names
  • No known-vulnerable or abandoned packages

03

Tests and behavior

Plausible changes need proof. Verify:

  • Tests prove behavior rather than just passing
  • New paths and error handling are covered
  • Nothing regressed silently in code Claude Code touched

04

Runtime and context

Some risk only appears at runtime, and CLAUDE.md can drift. Verify:

  • A changed route still behaves safely in the running app
  • Your CLAUDE.md still matches the real repo so the next session works from truth

05

Automate it

Independent verification beats self-review. Enji Guard audits the repo and the running app after Claude Code changes, keeps CLAUDE.md honest, and returns reviewable GitHub issues or pull requests.

Quick questions

Why audit Claude Code's output if it is already careful?

Independent verification catches what self-review misses. The same model that wrote the code shares its blind spots; a separate auditor with different runbooks does not. The first audit is free.

Can Guard run this automatically?

Yes. Connect the repo and Guard re-audits on a schedule, so every Claude Code change gets the same check and CLAUDE.md stays aligned with the code.

Verify what Claude Code wrote, automatically.

Connect a repo and Guard audits every change. No card.