Introduction

The way software gets built has fundamentally changed. AI coding assistants like Claude Code now write entire features, refactor modules, and ship code at a pace no security team was sized for. The code landing in your repositories is increasingly code that no human typed — and every existing security tool assumes a human with time to read a PR comment days after the code was written.

That’s why we’re releasing the FortiCNAPP Code Security plugin for Claude Code — a plugin that brings deterministic security verification directly into the AI-assisted development workflow, catching vulnerabilities at the moment code is generated.

The Problem: AI Code Generation Needs Deterministic Verification

AI-generated code is probabilistic. The same prompt produces different outputs each time — both plausible, neither audited. Security verification needs to be the opposite: deterministic, traceable to a specific policy, and defensible to an auditor.

The FortiCNAPP Code Security plugin pairs these two capabilities. Claude Code generates code. FortiCNAPP verifies it. When an issue is found, Claude receives a precise finding — which policy, which file, which line, and what the recommended remediation looks like — then writes the fix and re-scans to confirm. The entire loop closes in seconds.

What the Plugin Delivers

The plugin runs locally via the Lacework CLI and covers four scanning dimensions, triggered automatically within your Claude Code session:

Secrets Detection

The first time an API key, token, or credential lands on disk, we catch it — before it reaches the repo, the git history, or a CI log. Once a secret is committed, rotation is the only real fix. We close that loop at the moment of generation.

SCA (Software Composition Analysis)

Every dependency added or updated by Claude is checked against the full CVE database. No hallucinated CVE numbers — an authoritative lookup tied to CVSS scores and actionable remediation guidance.

SAST (Static Application Security Testing)

Injection flaws, unsafe patterns, authentication and authorization mistakes — flagged with specific policy IDs and precise file/line locations, not vague descriptions.

IaC Misconfiguration Scanning

Terraform, CloudFormation, Kubernetes manifests, and Helm charts are checked against a curated rule set mapped to compliance frameworks including CIS, SOC 2, PCI-DSS, and NIST.

[Screenshot: Scan findings with severity breakdown and remediation details]

 

 

How It Works: Two Scanning Modes

The plugin supports two scanning modes, selectable during setup or anytime via the /fortinet:settings command.

Pre-Commit Mode (Default)

When Claude attempts to run git commit, the plugin intercepts the call, scans the staged files, and blocks the commit if Critical or High severity findings exist. The code never reaches the repository history. Claude sees the rejection reason, generates the fix, re-stages, and retries — all within the same session.

Post-Task Mode

Runs as a stop hook after the developer’s task completes. If critical or high findings are detected, Claude is told directly and works on the fix in the same session. If there’s nothing to surface, it stays silent.

Either way, security happens with the work, not to the work.

Key Design Principles

Developer Experience First

The plugin scans only the files Claude actually modified in the current task. SCA results are cached by manifest hash — unchanged dependency files cost zero seconds on subsequent runs. Output is clean, plain-text summaries with no internal noise or formatting artifacts.

Exact File Matching

Findings are filtered to only the files you actually changed — no directory proximity false positives. If you edited main.tf, you see findings for main.tf, not for every Terraform file in the same folder.

Precise Remediation, Not Vague Advice

A FortiCNAPP finding identifies the specific policy violated, the exact file and line number, and a recommended remediation pattern. This precision matters for auditors who need traceable artifacts, and for Claude which generates better fixes from specific findings.

Security Context Awareness

When a Claude Code session starts, the plugin injects security awareness context into the conversation. Claude knows scanning is active and writes secure defaults from the start — restrictive CIDR blocks, no public access, encryption enabled by default — reducing findings before they happen.

Installation

Install with two commands in Claude Code:

/plugin marketplace add lacework/forticnapp-llm-plugins
/plugin install code-security@fortinet-plugins

Then run /fortinet:cli-setup to install the Lacework CLI and configure your credentials. The plugin resolves credentials from your existing ~/.lacework.toml, environment variables, or via interactive prompt.

The repository is public: github.com/lacework/forticnapp-llm-plugins

What This Is — and What It Isn’t

This plugin is not a replacement for your CI/CD pipeline security scanning. Keep using FortiCNAPP Code Security scanners in your CI/CD pipeline or within our SCM-hosted scanning model. This plugin is the first line of defense, not the only one.

This is not us asking Claude to do a security review. The deterministic engine handles authoritative, reproducible vulnerability detection. Claude handles what it’s best at: turning a precise finding into a precise fix.

Current Release: v1.7.0

The latest release includes:

• Clean output formatting — scan results are presented as clear, actionable plain text
• Exact file matching — findings surface only for files you changed, eliminating false positives
• Log rotation — automatic pruning of log files older than 7 days, with per-session caps at 1MB
• Parallel scanning — IaC and SCA scans run simultaneously to minimize wait time
• Smart dependency caching — SCA scans skipped when manifests haven’t changed

Get Started

We’d welcome your feedback — file issues, submit PRs, or tell us what’s missing.

AI is writing more of the code that runs in production every day. The question is who’s checking it. We think the answer should be: a deterministic engine, as close as possible to code creation, on every task, with the precise fix one prompt away.

Install the plugin: github.com/lacework/forticnapp-llm-plugins Documentation: FortiCNAPP Claude Code Plugin Guide