In Claude Code, /security-review is a command that runs a security review of the changes you're about to ship. It looks at the pending changes on your current branch and flags security problems in them, such as injection flaws, authentication and authorization gaps, and data exposure. A "pending change" is simply new or edited work that hasn't been merged or shipped yet. Running the command means a security issue gets caught while you can still fix it quietly, instead of after it's live.
What the /security-review command does
When you run /security-review, Claude reads the difference between what your code looked like before and what it looks like now (the "diff"), and reviews only that. It is not rewriting anything or shipping anything. It reads, then reports back what it found and where, so a person can decide what to do about it. Think of it as a careful second set of eyes focused on one question: could this change be used to break in, leak data, or do something it shouldn't?
Run a security-focused review of the pending changes on your branch. Click to copy.
The kinds of problems it looks for
The review is built around the categories of mistake that most often turn into real security incidents. A few of the big ones, in plain terms:
Three of the risk categories a security review targets.
How it's different from /code-review
Claude Code also has a general /code-review that checks a change for correctness and cleanup, the everyday "is this good code?" pass. The /security-review command is a deeper, security-focused version of that same idea. It complements the general review rather than replacing it: run the general review to catch bugs, and run /security-review when you specifically want to know whether a change is safe to expose to the world.
A real example
Say your team just added a login screen and a page that returns a customer's account details. That's exactly the kind of change where a small mistake becomes a big problem: a missing permission check could let one customer pull up another's data. Before shipping it, you run the command.
Nothing shipped. The review simply pointed at the risky line and explained why it matters, so the gap gets closed in review instead of in production. The same pattern is worth running any time a change touches sign-in, handles user input, reads or writes files, or returns data.
Why this matters if you don't code
You may never type this command yourself, and that's fine. The reason it's worth knowing is what it represents: a repeatable safety check that runs on every risky change, without waiting on a specialist's calendar. Catching a problem in review is cheap and quiet. Catching it after it ships means a scramble, and sometimes a breach. Building that check into how work gets done is the kind of system that separates teams who use AI well from teams who just talk to it.
