The most leverage you can extract from Claude Code isn’t in individual sessions — it’s in making it run automatically, on every commit, without anyone having to remember to use it.
This guide covers practical CI/CD integrations: pre-commit hooks that catch issues before they’re committed, GitHub Actions that run Claude Code reviews on every PR, and automated quality gates that stop bad code from shipping.
Pre-commit Hooks
Pre-commit hooks run before every git commit and can block the commit if checks fail. They’re the fastest feedback loop available because you catch problems before they’re ever in version history.
Basic Setup with Husky (Node.js projects)
npm install --save-dev husky
npx husky install
echo "npx husky install" >> package.json scripts.prepareThen add a pre-commit hook:
# .husky/pre-commit
#!/usr/bin/env sh
# Run Claude Code review on staged files
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(ts|tsx|js|jsx|py)$')
if [ -z "$STAGED_FILES" ]; then
exit 0
fi
echo "Running Claude Code review on staged files..."
# Create a temp file with the staged content
echo "$STAGED_FILES" > /tmp/staged-files.txt
# Run Claude Code non-interactively
claude --print "Review these files for security issues and obvious bugs only.
Files to review: $(cat /tmp/staged-files.txt)
For each file, output: PASS or FAIL with a one-line reason.
If any file FAILs, list the fix needed." \
--max-turns 1 \
--output-format json > /tmp/review-result.json 2>/dev/null
# Check if any FAILs were found
if grep -q '"FAIL"' /tmp/review-result.json 2>/dev/null; then
echo "❌ Pre-commit review found issues:"
cat /tmp/review-result.json
exit 1
fi
echo "✅ Pre-commit review passed"
exit 0This runs a focused check on only security and obvious bugs — fast enough to not slow down your workflow, specific enough to catch real problems.
Pre-commit with python pre-commit framework
For Python/polyglot projects:
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: claude-security-check
name: Claude Code Security Review
language: system
entry: bash -c 'claude --print "Quick security check — look for hardcoded secrets, SQL injection, auth bypass risks in: $@. Output PASS or FAIL with reason." --max-turns 1'
types: [python, javascript, typescript]
stages: [commit]
pass_filenames: trueGitHub Actions: PR Review Automation
GitHub Actions let you run Claude Code on every pull request. The pattern: trigger on pull_request, check out the code, run Claude Code against the diff, post results as a PR comment.
Basic PR Review Action
# .github/workflows/claude-code-review.yml
name: Claude Code PR Review
on:
pull_request:
types: [opened, synchronize]
paths:
- '**.ts'
- '**.tsx'
- '**.js'
- '**.py'
jobs:
code-review:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Get changed files
id: changed-files
run: |
git diff --name-only origin/${{ github.base_ref }}...HEAD \
| grep -E '\.(ts|tsx|js|py)$' > changed_files.txt
echo "files=$(cat changed_files.txt | tr '\n' ' ')" >> $GITHUB_OUTPUT
- name: Run Claude Code review
if: steps.changed-files.outputs.files != ''
id: review
run: |
REVIEW=$(claude --print \
"Review the changes in PR #${{ github.event.number }}.
Focus only on: security vulnerabilities, logic errors, and performance regressions.
Skip style comments.
For each issue found: file name, line range, issue description, suggested fix.
If no real issues found, output 'LGTM — no blocking issues found.'
Changed files: ${{ steps.changed-files.outputs.files }}" \
--max-turns 2 2>&1)
echo "review<<EOF" >> $GITHUB_OUTPUT
echo "$REVIEW" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Post review comment
if: steps.review.outputs.review != ''
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## Claude Code Review\n\n${{ steps.review.outputs.review }}\n\n---\n*Automated review by [Claude Skills 360](https://claudeskills360.com)*`
})This posts a review comment on every PR. The review focuses on blocking issues, not style — so it doesn’t create noise on every commit.
Security-Only Gate (Required Check)
If you want to make the Claude Code security check a required PR status check:
# .github/workflows/claude-security-gate.yml
name: Security Gate
on:
pull_request:
branches: [main, production]
jobs:
security-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Security check
run: |
CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | \
grep -E '\.(ts|tsx|js|py)$' | head -20)
if [ -z "$CHANGED" ]; then
echo "No source files changed — skipping security check"
exit 0
fi
RESULT=$(claude --print \
"Security-only review of these changed files: $CHANGED
Output format: PASS or FAIL
PASS = no high/critical security issues
FAIL = at least one high/critical issue found, followed by: issue description and file
Be strict on: hardcoded secrets, SQL injection, path traversal, auth bypass.
Ignore style and medium/low issues." \
--max-turns 1 2>&1)
echo "$RESULT"
if echo "$RESULT" | grep -q "^FAIL"; then
echo "❌ Security gate FAILED"
exit 1
fi
echo "✅ Security gate PASSED"
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}Set this as a required status check in your branch protection rules, and it blocks merges on security issues.
Scheduled Code Quality Audits
Beyond per-commit hooks, scheduled audits catch drift — code that was fine when written but has accumulated issues over time:
# .github/workflows/weekly-audit.yml
name: Weekly Code Quality Audit
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9am UTC
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Run weekly audit
run: |
claude --print \
"Weekly code quality audit. Review the src/ directory.
Focus areas:
1. Deprecated dependencies or APIs that should be updated
2. Files with high complexity that are bug-prone
3. Patterns that were acceptable before but should be migrated
4. Missing error handling in critical paths
Output: prioritized list with file references.
Keep it actionable — not exhaustive." \
--max-turns 3 > audit-report.txt
cat audit-report.txt
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Create GitHub issue with audit results
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('audit-report.txt', 'utf8');
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Weekly Code Audit — ${new Date().toISOString().split('T')[0]}`,
body: `## Weekly Code Audit\n\n${report}`,
labels: ['tech-debt', 'automated']
});This creates a weekly GitHub issue with the audit results. No action required unless something is flagged — but the record keeps tech debt visible.
Practical Considerations
Cost: Claude Code API calls cost money. For pre-commit hooks and PR reviews, use --max-turns 1 to limit scope. A focused security review on a typical PR diff costs under $0.05. Weekly audits on a large codebase might be $0.50-$2.
Noise management: Start with blocked-only issues — security and logic errors. Add style/conventions only once the team trusts the signal. A review system that generates too much noise gets ignored.
ANTHROPIC_API_KEY: Store this as an encrypted secret in GitHub Actions (Settings → Secrets and variables → Actions). Never commit it.
Non-interactive mode: The --print flag runs Claude Code without interactive prompts. The --max-turns flag limits the number of back-and-forth turns. Both are essential for CI use.
Skill System for CI/CD
If you’re running similar Claude Code checks manually across multiple repos, the skill system is worth configuring:
# .claude/skills/security-gate.md
---
name: security-gate
description: Security-only review for pre-merge gate
---
Review the staged changes for security issues only.
Focus areas: hardcoded secrets, SQL injection, authentication bypass, path traversal.
Output: PASS or FAIL with file and line reference for any failures.
Skip style, performance, and maintainability issues.The Claude Skills 360 bundle includes pre-built DevOps and CI/CD skills:
/security-gate— pre-merge security check/pr-review— full PR review with severity levels/audit-deps— dependency vulnerability assessment/test-coverage-gap— identify untested critical paths
These live in the DevOps & Cloud (120+ skills) category in the full bundle. Start free with 360 skills including core security review tools.
Pre-built CI/CD integration skills for Claude Code — start free with 360 skills or get the full DevOps toolkit with 120+ cloud and pipeline skills.
Related reading: