Defending Code Reference Harness

The Defending Code Reference Harness is an open-source toolkit published by Anthropic under the Apache 2.0 license, designed to help security teams use Claude for autonomous vulnerability discovery and remediation. It provides both interactive Claude Code skills and a fully autonomous pipeline that walks through recon, finding, verification, reporting, and patching stages. The repository was created in May 2026 and is described by Anthropic as a reference implementation, not a maintained product.

What It Is

The harness is a Python-based reference pipeline that enables security engineers to run Claude-powered agents against source code repositories to find, verify, triage, and patch vulnerabilities. It ships with a set of Claude Code skills (/quickstart, /threat-model, /vuln-scan, /triage, /patch, /customize) for interactive use, plus an autonomous harness/ pipeline configured out of the box for C/C++ memory vulnerabilities using Docker and AddressSanitizer (ASAN). The repository README explicitly states it is "a reference, not a product" and is not accepting contributions.

How the Pipeline Works

The autonomous pipeline runs through seven distinct stages:

• Build: Compiles the target into a Docker image with ASAN enabled.
• Recon: A lightweight agent reads source code in a network-isolated container and proposes a partition of input-parsing subsystems for parallel exploration.
• Find: Multiple agents run in parallel, each in its own isolated container, crafting malformed inputs and running the ASAN binary until a crash reproduces reliably.
• Verify: A separate grader agent reproduces each crash in a fresh container using only the proof-of-concept produced by the find agent.
• Dedupe: A judge agent compares verified crashes against previously reported bugs to identify new, improved, or duplicate findings.
• Report: A report agent writes a structured exploitability analysis per unique bug, covering primitive class, reachability, escalation path, and severity.
• Patch: A patch agent proposes a fix, and a grader agent confirms the fix builds, the original proof-of-concept no longer crashes, the test suite passes, and a fresh find agent cannot bypass the fix.

Sandboxing and Security Model

The harness enforces a strict sandboxing model. The interactive skills (/quickstart, /threat-model, /vuln-scan, /triage) are read- and write-only and are safe to run without a sandbox as long as tool uses are reviewed in Claude Code. The autonomous pipeline, however, executes target code and refuses to run outside a gVisor sandbox unless explicitly overridden. A setup script (scripts/setup_sandbox.sh) installs gVisor, builds agent images, and verifies isolation. Each agent runs inside a gVisor container with egress restricted to the Claude API.

Customization and Portability

The /customize skill allows teams to port the pipeline to languages and vulnerability classes beyond C/C++. Porting requires answering three questions for the target stack: what signals a finding (e.g., ASAN crash, exception, DNS callback), what a proof of concept looks like (e.g., crashing input file, HTTP request sequence), and how the target is built and run. The README provides a structured ramp-up path spanning from Day 1 interactive skills through Week 2 autonomous scanning, triage, and patching at scale.

Update: Repository Launch (May 2026)

The repository was created on May 22, 2026, and last pushed on June 2, 2026. It was published alongside the Claude Mythos Preview (Glasswing) announcement and an accompanying blog post on using LLMs to secure source code. Anthropic also references a companion cookbook on the Claude platform for a lightweight SDK-only walkthrough of the same vulnerability detection loop. The README notes that Anthropic offers a hosted managed version called Claude Security for teams that want a productized option rather than the self-hosted reference implementation.