CLAUDE.md Security Rules: What to Add Now That Claude Code Reviews Your Code

Claude Code just shipped a built-in security-guidance plugin — a 3-layer review that runs a pattern check, a model review, and a commit check before code lands. It's a real upgrade. But here's the catch: generic security review doesn't know your project.

It doesn't know which fields are nullable. It doesn't know that one of your APIs is deprecated and must never be called again. It doesn't know your auth layer, your tenant isolation, or the one query path that must stay read-only. The built-in review catches the textbook stuff. The bugs that actually ship are the project-specific ones.

The fix is your CLAUDEmd file. A few targeted rules turn that 3-layer review from "generic linter" into "senior security engineer who knows this codebase." Below are 10 copy-paste rules to drop in today, plus stack-specific sections for Node.js, Python, and databases.

Want the complete set? The CLAUDEmd Rules Pack has 27 production-tested rules covering security, workflow, commits, testing, and code quality → oliviacraftlat.gumroad.com/l/skdgt ($27)

Why generic security review misses your bugs