Claude Expands AI Vulnerability Scanning to Multi-File Scale

Claude’s new multi‑file scanning mode replaces the single‑file “hint” workflow demonstrated by Nicholas Carlini with an automated pipeline that can ingest an entire repository and emit a consolidated vulnerability report. According to Brian‑Chastain, the updated system wraps the original command‑line interface in a wrapper script that iterates over every source file, feeds each one to Claude with the same “dangerously‑skip‑permissions” flag, and aggregates the per‑file findings into a single structured output. The script, posted publicly by the researcher, eliminates the manual hint line that previously required an operator to specify a target file such as /src/foo.c, thereby removing the need for human knowledge of where to look.

The technical motivation for the change is spelled out in the same briefing: single‑file prompts succeed because they constrain the model’s context and intent, but they do not scale. Carlini’s original demo produced precise line‑level findings with minimal noise, yet “every file, every scan, manually” proved untenable for real‑world codebases, Brian‑Chastain notes. When the model is pointed at a full project without a hint, its attention drifts, leading to shallow findings that miss critical bugs—e.g., a missed SQL injection in auth.py or a ignored command injection in a deployment script. The researcher observed that even Claude’s large context windows “degrade across hundreds of files,” causing the model to anchor on the first recognizable pattern and repeat it, while overlooking distinct vulnerability classes.

To overcome these limits, the new pipeline partitions the codebase into logical units, invokes Claude on each unit separately, and then post‑processes the raw text reports into a machine‑readable format. Brian‑Chastain explains that the naïve approach of dumping an entire project into a single prompt “fails for predictable reasons: context saturation, pattern anchoring, and no isolation.” By preserving isolation—each file is examined in a vacuum—the model retains the high precision of the original single‑file method while scaling to projects of any size. The wrapper also replaces the plain‑text .txt output with a JSON‑compatible schema that captures file paths, line numbers, severity scores, and suggested mitigations, reducing token overhead and making the results consumable by downstream security tooling.

The implications for threat actors and defenders are stark. As Brian‑Chastain warns, “attackers need to know less, can scrape fine‑grained files, find more, automate faster, and attack you where you may never see it coming.” By automating the hint generation and batch processing, Claude can now be used to scan open‑source libraries, third‑party plugins, or even proprietary codebases with minimal human guidance. This lowers the barrier for AI‑assisted vulnerability discovery and could accelerate the weaponization of LLMs in supply‑chain attacks. Conversely, security teams can integrate Claude’s multi‑file scanner into CI/CD pipelines to obtain continuous, code‑aware risk assessments without the manual triage that previously limited adoption.

Performance benchmarks shared in the researcher’s “Outside‑In” report show that the multi‑file mode processes a 200‑file Python project in roughly 40 minutes—comparable to the time required for the original single‑file demo but with a tenfold increase in coverage. The aggregated report surfaces both the high‑frequency issues (e.g., repeated use of eval()) and the low‑frequency, high‑impact bugs (e.g., a deserialization flaw in a rarely touched module) that the single‑file approach would have missed. Brian‑Chastain concludes that the “frontier grade ‘secure’ AI” implementation demonstrates a viable path forward for large‑scale, automated code security, provided that organizations remain vigilant about the model’s propensity to over‑report patterns once it locks onto a particular vulnerability class.