How Anthropic’s Open‑Source DCRH Uses Claude to Automate Vulnerability Discovery and Fixes

Overview

Defending‑Code‑Reference‑Harness (DCRH) is an open‑source reference implementation from Anthropic that demonstrates an autonomous AI‑driven vulnerability discovery and remediation pipeline powered by the Claude large model.

Find‑and‑Fix Pipeline

The pipeline consists of six sequential stages:

Build : Compile the target with ASAN (C/C++ memory‑error detector) into a Docker image.

Recon : Lightweight agents read source code, construct an attack surface, and assign code regions to parallel agents.

Find : Multiple agents generate malformed inputs to trigger ASAN crashes.

Grade : A verification agent reproduces each crash in a fresh container.

Judge : A judge agent compares findings against existing reports to label them new, known, or duplicate; real‑time when using --stream.

Report : The report agent outputs a structured analysis including vulnerability type, exploitability, upgrade path, and severity.

Additional commands: Patch generates and verifies a fix; Dedup optionally clusters duplicate findings.

Claude Code Skills

Six interactive Claude Skills can be invoked directly: /quickstart: 30‑second guided onboarding (read‑only file operations). /threat-model: Build a threat model targeting the attack surface (read‑only). /vuln-scan: Static scan scoped by the threat model (read‑only). /triage: Verify, deduplicate, and rank scan results (read‑only). /patch: Generate candidate fixes for verified findings (read‑only or executable). /customize: Customize the pipeline for a specific tech stack (source edit + command execution).

Sandbox Isolation with gVisor

Each agent runs in an isolated gVisor container, providing:

Filesystem isolation – agents see only container files.

Network isolation – outbound traffic limited to api.anthropic.com:443.

Compute isolation – a virtual kernel prevents malicious instructions from affecting the host.

Process isolation – agents operate in separate containers with read‑only PoC transmission.

Parallel Scanning

Multiple agents can run concurrently, each exploring a different code region to avoid converging on the same vulnerability. Example command:

# 5 parallel scans with real‑time streaming and auto‑focus
bin/vp-sandboxed run my-service --model <model-id> \
    --runs 5 --parallel --stream --auto-focus

Extensibility

Although the reference pipeline targets C/C++ memory bugs, the architecture is language‑agnostic and can be adapted to Java, Python, Rust, Go, and other ecosystems, as well as to vulnerability types such as SQL injection, XSS, and RCE.

Permission Model

Security Level 1: Read‑only file operations
  /quickstart, /threat-model, /vuln-scan, /triage, /patch (static)

Security Level 2: Edit source + run verification
  /customize

Security Level 3: Execute target code (requires gVisor)
  bin/vp-sandboxed run / patch / report
  bin/vp-sandboxed patch (pipeline mode)

Agent Roles and Isolation

Recon Agent : Reads source, defines attack surface – runs in network‑isolated container.

Find Agent : Crafts inputs, triggers crashes – runs in independent container with restricted egress.

Grade Agent : Reproduces crashes in a fresh container – isolated from Find.

Judge Agent : Compares and deduplicates findings – runs independently.

Report Agent : Generates structured analysis – isolated execution.

Patch Agent : Produces and validates fixes – isolated execution.

Typical Use Cases

Detecting buffer overflows, use‑after‑free, double free in C/C++.

CI/CD security scanning of new code.

Auditing open‑source dependencies for known vulnerabilities.

Automated generation and verification of patches.

Threat modeling based on code structure.

Reference Resources

GitHub repository: https://github.com/anthropics/defending-code-reference-harness
Blog post: https://claude.com/blog/using-llms-to-secure-source-code