Anthropic Open-Sources Sandboxed Reference Harness for Autonomous Vulnerability Detection and Patching

Anthropic has released a reference implementation of an autonomous vulnerability discovery and remediation pipeline powered by Claude. The system utilizes gVisor sandboxing and AddressSanitizer to dynamically verify C/C++ memory safety vulnerabilities before generating candidate patches.

Pipeline Architecture and Runtime Verification The repository provides an autonomous pipeline that executes a structured security loop: reconnaissance, vulnerability discovery, dynamic verification, reporting, and patching. Unlike purely static analysis tools, this harness validates candidate vulnerabilities by compiling and executing target code. Out of the box, the system is configured to detect C/C++ memory safety violations by utilizing Docker containers and AddressSanitizer (ASAN) to capture runtime crashes and generate deterministic proof-of-concept logs.

The execution loop generates multiple structured security artifacts. These include threat models, vulnerability findings, triage reports, and verified candidate patches, which are saved locally as standardized files including THREAT_MODEL.md, VULN-FINDINGS.json, and TRIAGE.json.

gVisor Sandboxing and Execution Security Because the autonomous pipeline compiles and runs target code to dynamically verify vulnerabilities, securing the host execution environment is a critical constraint. To prevent arbitrary code execution on the host system, the autonomous harness refuses to execute outside of a sandboxed runtime unless explicitly overridden by the operator.

Isolation is achieved using gVisor, a user-space kernel that intercepts and filters system calls from the guest container. The repository includes a setup script that installs gVisor, builds the agent container images, and validates container isolation. Operators execute the pipeline via a wrapper script that mounts target codebases into the restricted gVisor environment while enforcing a strict network egress allowlist to block unauthorized external communication.

Interactive CLI Skills In addition to the autonomous harness, the repository implements a set of interactive utilities designed to run directly within Claude Code. These utilities operate as specialized commands that restrict their actions to local file reads and writes, making them safe to run without a sandbox under manual supervision.

The interactive commands map directly to specific engineering workflows:

The `/threat-model` command bootstraps an attack surface model for a target directory.

The `/vuln-scan` command executes a static security scan scoped by the generated threat model.

The `/triage` command dedupes, ranks, and filters the raw findings to eliminate false positives, such as ignoring test or fixture files.

The `/patch` command generates candidate source-code fixes for verified vulnerabilities.

The `/customize` command assists the developer in editing the harness itself, allowing the pipeline to be ported to other programming languages, build tools, or static analyzers.

Target Customization and Integration This release is presented as a static reference implementation based on Anthropic’s partnerships with enterprise security teams. The repository is unmaintained and does not accept external pull requests. Instead, it serves as a structural blueprint for systems engineers to clone, modify, and integrate into their own continuous integration systems.

Porting the harness to different targets involves adjusting the language configurations, replacing compilation commands, and pointing the verifier to alternative dynamic analysis tools. The system can be integrated with various Anthropic API access paths, including direct Anthropic API keys, AWS Bedrock, Google Cloud Vertex AI, or Azure. For teams requiring a managed enterprise implementation, Anthropic offers Claude Security, a hosted product that provides multi-stage verification pipelines across multiple repositories.