🧭 Claude Code Security — Now Available to All Enterprise Plan Customers

Following three days in limited preview, Claude Code Security is now available to all Enterprise plan customers without a waitlist. The mode can be activated via a toggle in the workspace admin console and applies to all Claude Code sessions for users in the workspace. When active, every code execution request is routed through a hardened sandbox, and all generated or modified code is automatically scanned for secrets, CVEs in imported packages, and common vulnerability patterns before being written to disk.

What the security mode adds

• Static analysis on write — integrates with Semgrep rules (configurable per workspace) to flag vulnerabilities before code is committed
• Secret scanning — blocks any file write that would embed API keys, tokens, or high-entropy strings matching common secret patterns
• Dependency audit — checks newly added package dependencies against OSV and NVD databases before installation
• Audit trail — every tool call Claude makes in a security-mode session is logged to the workspace audit log with before/after diffs

The mode is billed as an addition to the standard Enterprise seat price, with no per-scan surcharge. Anthropic notes that the security mode is not a replacement for a professional security review but is designed to catch the most common classes of AI-introduced vulnerabilities in day-to-day coding workflows.

🧭 Sandboxed Code Execution — Architecture Deep Dive

Anthropic has published a detailed technical post explaining the architecture behind the sandboxed code execution environment that powers both the dynamic web filtering feature (launched February 11) and Claude Code Security. The post describes a three-layer isolation model: a gVisor-based kernel sandbox at the lowest level, a time-and-memory-bounded execution budget enforced by a custom supervisor process, and an output validation layer that intercepts and normalises the sandbox's stdout/stderr before returning results to Claude.

Each sandbox instance is ephemeral — provisioned per tool call and destroyed immediately after — with no persistent filesystem access and no network egress. The post notes that the design deliberately trades flexibility for auditability: a sandbox that cannot reach the network or retain state produces outputs that are structurally easier to reason about from a security perspective, even at the cost of excluding use cases that require persistent state.