Home All Posts Equipping Claude Code with Deterministic Security Guardrails in 5 Minutes

Equipping Claude Code with Deterministic Security Guardrails in 5 Minutes

,
In this article:
Subscribe to our blog:

Share:
Codacy
7 mins read

In a hurry? Skip to setup instructions 👇

Using Cursor, VSCode, or Windsurf? Get the native IDE extension

What is Claude Code?

Claude Code is Anthropic's agentic command line tool that lets developers delegate coding tasks directly from their terminal. It uses advanced AI to understand your entire codebase without requiring manual context selection, can make coordinated changes across multiple files, and integrates seamlessly with popular IDEs like VS Code and JetBrains.

What makes Claude Code unique is its agentic approach: It can search through your code, understand patterns and standards, and make intelligent decisions about how to implement changes while always requiring your explicit approval before modifying files. It's powered by Claude Opus 4 and designed specifically for code understanding and generation, making it particularly effective for complex, multi-file modifications that would be tedious to do manually.

As a command line expert, I prefer to use CLI agents, and one such example is Claude Code.

One of the major issues I have found with most agentic coding assistants is that they rely on the knowledge they are trained on. Over the years, with and without AI, I have built countless scripts, utilities, and applications that work but have vulnerabilities, outdated libraries, and even hardcoded credentials for testing. Sometimes I have managed to catch these before committing the changes to my repository, but there have been a few cases where I may have missed something.

This experience is not unique to me. It exists for all developers, and time is simply not always on your side. Due to its insecure nature, the probability of a developer introducing a vulnerability or secret in their code when using AI approaches 100% the more time you spend coding.

This is where Codacy Guardrails comes in. It is the world’s first suite of tools that can guide your AI agent to fix security and quality issues immediately during the code generation workflow, before the code suggestion makes it into the source file. 

For me, this really is a game changer. I am not leaving anything to chance when I ask an AI agent to add one more method, to refactor the code, or to simplify it. Better yet, as a Solutions Engineer, I am no longer worried about what I commit (we all know how difficult it can be to delete a hardcoded secret that’s already committed to a repository!).

Let me put it this way: Would you mark your own homework?

If you answered no, how can the same AI model (trained up to a particular date) be responsible for checking its own code to ensure it is trustworthy?

That’s why robust, deterministic, rule-based Guardrails are a necessity for AI-assisted software development.

 

What Actually Happens When You Use Codacy Guardrails

Instead of your usual workflow, where you generate code, review it, test it, and then maybe run a security scan after-the-fact, Codacy Guardrails sits right between your AI and your IDE.

Every line of code gets analyzed as it's being generated. If there's a security issue, the AI agent is made aware immediately, and will iterate on that issue until it is fixed. This means you simply get the better, safer code suggestion right from the start.

The integration works through MCP (Model Context Protocol) – think of it as a USB-C cable that lets your AI assistant talk directly to Codacy’s CLI and cloud platform. This allows your organizational security and coding standards to be enforced automatically, on every single prompt.

 

Demo 

See the Codacy Guardrails integration for Claude Code in action:

 

Getting Started (The Easy Way)

The setup takes no longer than 5 minutes.

What You Need

  • Node.js and npm installed
  • Claude Code
  • A Codacy account (the free tier is enough, sign up here)

Step 1: Get Your Codacy Token

Log in to Codacy, go to Account Settings > API Tokens, and create a new token. Call it something like "Guardrails MCP" and copy it somewhere safe.

Step 2: Run the Setup Script

We've got a helper script that does all the heavy lifting.

  1. Create a file called setup-codacy-guardrails.sh,
  2. Paste the script (copy from here or download from GitHub)
  3. Make it executable and run it:
chmod +x setup-codacy-guardrails.sh
./setup-codacy-guardrails.sh

The script will:

  • Install Claude Code globally
  • Ask for your Codacy token
  • Set up the MCP connection
  • Create a configuration file that tells your AI how to behave with Codacy

Step 3: Restart Your Terminal

The script adds environment variables to your shell config, so restart your terminal or run:

source ~/.bashrc  # or ~/.zshrc

Step 4: Run Claude Code

Start Claude code

claude code

That's it. You're done.

 

What Now?

Once everything's connected, you'll see 23 new tools available in Claude Code when you run /mcp. As a summary

  • Near real-time scanning: Every file is scanned as it is modified and saved
  • Automatic fixes: Issues get corrected before the agent task is completed
  • Security analysis: New dependencies get scanned for the latest vulnerabilities
  • Company standards: Your team's coding rules are enforced everywhere**

In our demo, the system caught 6 security issues instantly and told us which ones were overdue based on the SLA settings, which you can customize in Codacy. That's the kind of feedback that usually takes a separate security review process and additional team members.

 

The Setup Script

Here's the complete script that automates everything:


#!/bin/bash

# Claude Code + Codacy Setup Script
set -e

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

print_status() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

print_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

print_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# Detect shell config
if [[ "$OSTYPE" == "darwin"* ]]; then
    SHELL_CONFIG="$HOME/.zshrc"
elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
    if [[ "$SHELL" == *"zsh"* ]]; then
        SHELL_CONFIG="$HOME/.zshrc"
    else
        SHELL_CONFIG="$HOME/.bashrc"
    fi
else
    SHELL_CONFIG="$HOME/.bashrc"
fi

# Install Claude Code
print_status "Installing Claude Code..."
if command -v npm &> /dev/null; then
    npm install -g @anthropic-ai/claude-code
    print_status "Claude Code installed successfully"
else
    print_error "npm is not installed. Please install Node.js and npm first."
    exit 1
fi

# Setup Codacy token
print_status "Setting up Codacy environment variable..."
echo "Enter your Codacy Account Token (or press Enter to skip if already configured):"
read -p "Token: " CODACY_TOKEN

if [[ -n "$CODACY_TOKEN" ]]; then
    echo "export CODACY_ACCOUNT_TOKEN=$CODACY_TOKEN" >> "$SHELL_CONFIG"
    export CODACY_ACCOUNT_TOKEN="$CODACY_TOKEN"
    print_status "Token configured successfully"
else
    print_status "Skipping token setup"
    print_warning "Make sure CODACY_ACCOUNT_TOKEN is available in your environment"
fi

# Add MCP configuration
print_status "Adding Codacy MCP configuration..."
if command -v claude &> /dev/null; then
    claude mcp add codacy npx -- -y @codacy/codacy-mcp --env CODACY_ACCOUNT_TOKEN=\$CODACY_ACCOUNT_TOKEN
    print_status "MCP configuration added successfully"
else
    print_error "Claude Code CLI not found. Please ensure it's properly installed."
    exit 1
fi

# Create configuration file
print_status "Creating CLAUDE.md configuration file..."
cat > CLAUDE.md << 'EOF'
---
# Codacy Rules
Configuration for AI behavior when interacting with Codacy's MCP Server

## After ANY successful file edit
- YOU MUST run the `codacy_cli_analyze` tool for each edited file
- If any issues are found, propose and apply fixes immediately
- This is a critical requirement, not optional

## After ANY dependency installation
- IMMEDIATELY run `codacy_cli_analyze` with tool set to "trivy"
- Check for security vulnerabilities in new packages
- Stop all operations if vulnerabilities found
- Fix security issues before continuing

## Repository setup
- Use `git remote -v` to determine provider/organization/repository
- Provider mapping: GitHub = "gh", Bitbucket = "bb", GitLab = "gl"
- If repository not found in Codacy, offer to run `codacy_setup_repository`
---
EOF

print_status "Setup completed successfully!"
echo ""
print_warning "IMPORTANT: Restart your terminal or run: source $SHELL_CONFIG"
echo ""
print_status "You can now use Claude Code with Codacy integration!"

The combination of AI speed with real-time security checking is pretty incredible once you experience it.

Instead of slowing down development, we can now secure every line of code generated by Claude Code, without additional friction. And honestly, once you've used it for a while, coding without these Guardrails starts to feel kind of…reckless.

RELATED
BLOG POSTS

Codacy Platform
23/01/2020
Ensure code quality in the CI/CD pipeline
Continuous integration and continuous delivery tools (CI/CD) like Jenkins, Circle CI and GitHub Actions help automate steps in the software development...
Customers
07/07/2025
From Sonar to Codacy: How ihomer equipped their devs for the future with AI Guardrails
Key Outcomes:
Codacy Platform , New Features
02/07/2025
Ship Safer Code: Plug Codacy Guardrails Into Gemini CLI in 90 Seconds
Gemini CLI (launched 25 Jun 2025) drops Google’s Gemini 2.5 Pro straight into your terminal with a whopping 1 M-token context and free preview limits.

Automate code
reviews on your commits and pull request

Get Started
Group 13
!-- ✅ Prism.js scripts added directly below the block to ensure they load -->