anthropics

anthropics / defending-code-reference-harness

Public

A reference implementation for autonomous vulnerability discovery and human-reviewed remediation with Claude

16
1
89% credibility
Found May 27, 2026 at 16 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Python
AI Summary

An autonomous vulnerability discovery pipeline that uses AI agents to find, verify, report, and patch memory-safety bugs in C/C++ codebases, running everything inside isolated sandbox containers for safe security research.

How It Works

1
🔍 Learn about AI-powered security testing

You hear about using AI to automatically find security bugs in your code and decide to explore this approach.

2
⚙️ Set up your testing environment

You install the tools and run a one-time setup script that prepares isolated containers where the AI can safely hunt for bugs.

3
🎯 Define what to look for

You work with the AI to build a threat model — deciding which parts of your code matter most and what kinds of bugs would be serious.

4
🚀 Watch the AI hunt for vulnerabilities

Multiple AI agents work in parallel, each exploring different parts of your code and crafting test inputs to trigger crashes.

5
Review confirmed findings

Each potential bug is verified in a fresh environment to make sure it's real, then analyzed for how dangerous it would be if exploited.

6
🩹 Generate and test fixes

For confirmed crashes, the AI proposes fixes and automatically tests them to ensure they actually work without breaking anything else.

🎉 Get a prioritized list of vulnerabilities with fixes

You receive reports ranked by severity, each with a clear explanation and a verified patch ready to apply to your codebase.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 16 to 16 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is defending-code-reference-harness?

This is a reference implementation for autonomous vulnerability discovery and remediation using Claude. Built in Python, it orchestrates a multi-agent pipeline that reads source code, crafts proof-of-concept inputs, verifies crashes in isolated containers, and generates exploitability reports. The pipeline runs inside Docker containers sandboxed with gVisor, with each agent restricted to a minimal network egress allowlist. It ships with example targets demonstrating real CVE discovery in C/C++ libraries like dr_libs, where it finds memory corruption bugs from source alone—no CVE hints, no prior knowledge. The project also includes Claude Code skills like `/threat-model`, `/vuln-scan`, and `/triage` for interactive scanning workflows.

Why is it gaining traction?

The hook is execution-verified findings. Unlike static scanners that flood you with potential issues, this pipeline requires every reported bug to actually crash the target in a fresh container, verified by AddressSanitizer. A separate grader agent validates each crash independently, and a judge agent deduplicates findings across parallel runs. The result is a short, ranked list of confirmed vulnerabilities with exploitability analysis rather than a raw dump. Teams also get a patch generation loop that applies fixes, rebuilds the target, and re-attacks the patched binary to verify the fix holds.

Who should use this?

Security teams evaluating AI-assisted vulnerability research will find the most value here. The reference implementation targets C/C++ with ASAN, but the architecture is language-agnostic—swap the detector and prompts to adapt it for other targets. Organizations already using Claude Code for code review can start with the read-only skills immediately, while teams wanting autonomous scanning will need Linux hosts with Docker and gVisor. The project is explicitly not maintained and not accepting contributions, so treat it as a reference architecture rather than a production tool.

Verdict

The credibility score of 0.8999999761581421% and 16 stars reflect a very early-stage reference implementation, not a production tool. The documentation is thorough and the architecture is sound, but the project explicitly states it is not maintained. Use it as a blueprint for building your own pipeline, not as a dependency. The companion cookbook on Anthropic's platform offers a lighter-weight alternative for teams that want the same workflow without the infrastructure overhead.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.