The Wire
Vibe Coding

Tip: Claude Code's Security-Guidance Plugin Detects Vulnerabilities but Deliberately Doesn't Block

paddo.devmedium signal

paddo.dev's analysis (May 29) of Anthropic's security-guidance plugin reveals three hook layers: PostToolUse runs free pattern matching on edits, Stop sends diffs for model-based review at turn-end, and agentic review fires on commits. Critically, none of the layers block writes or commits — findings become conversational instructions for the writing Claude. A separate Claude instance reviews anonymously, avoiding self-rationalization. paddo.dev reports a 30-40% reduction in security-related PR comments but notes the enforcement gap is intentional: detection is the shallowest layer in a defense-in-depth stack.

Follow the thread