anthropics/defending-code-reference-harness — explained in plain English
Analysis updated 2026-07-17 · repo last pushed 2026-06-15
Point the automated pipeline at a large C/C++ codebase to find memory vulnerabilities overnight.
Use the generated crash reports and candidate patches as a starting point for fixing found bugs.
Run interactive commands to build a threat model of a new project before writing any code.
Triage a list of already-known security issues with guided, step-by-step commands.
| anthropics/defending-code-reference-harness | facebookresearch/convnext | robbyant/lingbot-map | |
|---|---|---|---|
| Stars | 6,326 | 6,392 | 6,393 |
| Language | Python | Python | Python |
| Last pushed | 2026-06-15 | 2023-01-08 | — |
| Maintenance | Maintained | Dormant | — |
| Setup difficulty | hard | moderate | hard |
| Complexity | 4/5 | 3/5 | 4/5 |
| Audience | ops devops | researcher | researcher |
Figures from each repo's GitHub metadata at analysis time.
The automated pipeline compiles and runs your code to trigger crashes, so it must run inside isolated containers/sandboxes.
This repository from Anthropic is a reference toolkit for using Claude to automatically find and fix security vulnerabilities in source code. It provides a set of guided commands and an automated pipeline that can scan your code, identify bugs, verify that they are real, and even draft fixes. It was built based on Anthropic's experience partnering with security teams at various organizations. The toolkit works in two main ways. First, it offers interactive commands, like building a threat model, scanning for issues, triaging the results, and generating patches, that you run step-by-step alongside Claude. Second, it includes a fully automated pipeline that handles the entire process on its own: it explores your code, crafts inputs to trigger crashes, verifies the crashes in isolation, deduplicates the findings, writes a report, and proposes a fix. The default setup is tailored for finding memory bugs in C and C++ code, but it is designed to be customized for other languages and bug types. Security engineers, developer teams, and founders who want to proactively secure their codebases would use this. For example, a team with a large C/C++ codebase could point the automated pipeline at it to find memory vulnerabilities overnight, then use the generated reports and candidate patches to fix them. The interactive commands are also useful for a developer who simply wants to understand the security risks of a new project before writing any code, or to triage a list of known issues. A key detail is that this is explicitly a reference implementation, not a finished, maintained product. The automated pipeline actually compiles and runs your code to trigger real crashes, which requires strict security precautions. To keep things safe, the pipeline runs inside isolated containers and refuses to operate outside of a secure sandbox unless you explicitly override it. The interactive commands, by contrast, only read and write files and are safe to run on your own machine as long as you review what the tool is doing. The project emphasizes a "start small and iterate" approach. Rather than spending months designing the perfect security setup, it encourages teams to run a basic scan on day one, customize the pipeline for their specific tech stack over the next few days, and scale up to autonomous scanning by week two. However, the creators note that automated triage and patching remain challenging, and teams should expect to spend real engineering time reviewing and refining the results.
A reference toolkit that uses Claude to automatically scan source code for security bugs, verify they're real, and draft fixes, with a focus on memory vulnerabilities in C/C++.
Mainly Python. The stack also includes Python, Claude, C.
Maintained — commit in last 6 months (last push 2026-06-15).
License is not stated in the available content.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
double-check against the repo, no cap.