Citation officielle
Guide basé sur des cas réels
Sources : Documentation officielle + Community best practices
Dernière vérification : 29 décembre 2025
🎯 Pourquoi ce guide
Le problème : - Documentation générale = compréhension limitée - Manque d’exemples end-to-end concrets - Difficile de voir comment combiner les features
La solution :
6 use cases complets qui montrent comment combiner : - ✅ Skills + Web Search + Plan Mode - ✅ LSP + Sub-Agents + Extended Thinking - ✅ Hooks + MCP + Automation - ✅ GitHub Actions + CI/CD + Security
🔍 Use Case #1 : SEO Audit complet
🎯 Objectif
Auditer le SEO d’un site web + recommandations basées sur best practices actuelles du web.
💰 ROI Estimé
⏱️ Time saved : 4-6h → 20min (90% gain)
🎯 Completeness : +150% vs manual audit
💵 Cost : ~$2-3 (tokens + web search)
✅ Value : $300-500 (consultant hourly rate)
🔧 Stack utilisé
1. Custom Skill (SEO Auditor)
2. Web Search (current best practices)
3. Puppeteer MCP (browser automation)
4. Plan Mode (structured approach)
5. Extended Thinking (deep analysis)📋 Step-by-Step Setup
Step 1 : Install Puppeteer MCP
Source : https://alexop.dev/posts/how-i-use-claude-code-for-doing-seo-audits/
# Install Puppeteer MCP server
claude mcp add --transport stdio puppeteer \
-- npx -y @modelcontextprotocol/server-puppeteerStep 2 : Create SEO Auditor Skill
File : ~/.claude/skills/seo-auditor/SKILL.md
---
name: seo-auditor
description: Comprehensive SEO audit specialist. Analyzes technical SEO, on-page optimization, performance, and provides actionable recommendations. Use when auditing website SEO or checking search engine optimization.
---
# SEO Auditor Skill
You are an expert SEO auditor. When invoked, perform comprehensive SEO analysis.
## Audit Checklist
### 1. Technical SEO
-Meta tags (title, description, Open Graph)
-Structured data (JSON-LD)
-Robots.txt and sitemap.xml
-Mobile-friendliness
-Page speed (Core Web Vitals)
-HTTPS and security headers
### 2. On-Page SEO
-Heading structure (H1-H6)
-Image alt text
-Internal linking
-Content quality and keyword usage
-URL structure
### 3. Performance
-Load time analysis
-Resource optimization
-Render-blocking resources
### 4. Current Best Practices
-**ALWAYS use Web Search** to get latest SEO trends
-Search for: "SEO best practices 2025"
-Search for: "Core Web Vitals requirements"
-Incorporate findings into recommendations
## Output Format
Generate structured markdown report with:
1.Executive Summary
2.Issues by Severity (Critical/High/Medium/Low)
3.Actionable Recommendations with code examples
4.Performance Metrics
5.Compliance ChecklistStep 3 : Launch SEO Audit
# Start in Plan Mode
claude --permission-mode plan
# Your promptPrompt template :
ultrathink about a comprehensive SEO audit for https://example.com
Use the seo-auditor skill and Puppeteer MCP to:
1. Navigate to the website
2. Analyze all SEO factors
3. Search the web for latest 2025 SEO best practices
4. Generate detailed audit report
Requirements:
- Check technical SEO (meta, structured data, sitemaps)
- Analyze on-page optimization
- Test Core Web Vitals
- Compare against current industry standards
- Provide code examples for fixes📊 Real Output Example
Source : https://alexop.dev/posts/how-i-use-claude-code-for-doing-seo-audits/
Note
Real-world result
“The audit found big blocking problems - search engines can’t see your site because of noindex, nofollow meta tags and development robots.txt settings. But the good news is your blog has great technical basics with proper structured data, mobile-friendly design, and fast loading.”
Example issues found :
## Critical Issues (Fix Immediately)
### 1. Noindex Meta Tag Blocking Indexation
**Location:** All pages
**Impact:** Search engines cannot index site
**Fix:**
```html
<!-- REMOVE this -->
<meta name="robots" content="noindex, nofollow">
<!-- ADD this -->
<meta name="robots" content="index, follow">2. Development robots.txt in Production
Location: /robots.txt
Impact: Blocking all crawlers
Fix:
# Production robots.txt
User-agent: *
Allow: /
Sitemap: https://example.com/sitemap.xml3. Missing Structured Data
Pages affected: Blog posts (15 pages)
Fix: Add BlogPosting schema
<script type="application/ld+json">
{
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "{{ post.title }}",
"datePublished": "{{ post.date }}",
"author": {
"@type": "Person",
"name": "{{ author }}"
}
}
</script>
### ⚡ Performance Metrics
**Citation :** https://alexop.dev/posts/how-i-use-claude-code-for-doing-seo-audits/
::: info Note
**Speed vs Manual**
"Claude Code finished in minutes what would take me hours to do by hand. Complete analysis, actionable results with code examples, everything saved in a markdown file I can use later."
:::
**Breakdown :**
- Manual audit : 4-6 hours
- With Claude Code : 15-20 minutes
- Completeness : 100% vs 60-70% manual
- Actionable fixes : 100% with code examples
### 🎓 Key Learnings
**What worked :**
1. **Web Search Integration** : Latest SEO trends included automatically
2. **Puppeteer MCP** : Real browser analysis vs static code review
3. **Skill Specialization** : Consistent audit structure
4. **Extended Thinking** : Deep analysis of complex issues
**Gotchas :**
⚠️ **Warning : Web Search Cost**
Audit can trigger 5-10 web searches = $0.10
Budget accordingly for production use.
⚠️ **Warning : Puppeteer Timeouts**
Large sites (100+ pages) may timeout.
Use incremental analysis for big sites.
### 📚 Next Level
**Advanced patterns :**
```bash
# Competitive SEO Analysis
claude "Compare SEO of example.com vs competitor.com using Puppeteer and web search for industry benchmarks"
# Automated Monitoring
# Create hook that runs SEO audit weekly
{
"hooks": {
"SessionStart": [{
"hooks": [{
"type": "command",
"command": "claude -p 'Run SEO audit on staging.example.com'"
}]
}]
}
}🐛 Use Case #2 : Bug Investigation avec LSP
🎯 Objectif
Debugger un TypeError cryptique en production avec stack trace incomplet en utilisant LSP pour comprendre la cause racine.
💰 ROI Estimé
⏱️ Time saved : 2-3h → 15min (88% gain)
🎯 Accuracy : Cause racine trouvée 95% vs 60% manual
💵 Cost : ~$1-2 (tokens)
✅ Value : $200-300 (debug time saved)
🔧 Stack utilisé
1. LSP Integration (TypeScript/Python)
2. Sub-Agent (debugger specialist)
3. Extended Thinking (root cause analysis)
4. Web Search (error messages + solutions)📋 Step-by-Step Setup
Step 1 : Enable LSP
Source : https://code.claude.com/docs/en/plugins-reference
# Install LSP plugin for your language
/plugin install vtsls@claude-code-lsps # TypeScript
/plugin install pyright@claude-code-lsps # Python
/plugin install rust-analyzer@claude-code-lsps # Rust
# Enable LSP tool
export ENABLE_LSP_TOOL=1
# Verify
claude --debug
# Look for "LSP tool enabled" in outputStep 2 : Create Debugger Sub-Agent
File : ~/.claude/agents/debugger.md
---
name: debugger
description: Expert debugger for investigating errors, analyzing stack traces, and finding root causes. Use when debugging production issues, analyzing crashes, or investigating TypeError/undefined errors.
model: sonnet
tools: Read, Grep, LSP, WebSearch
---
# Expert Debugger Agent
You are a senior debugging specialist.
## Investigation Protocol
### Phase 1: Information Gathering
1.Read error logs and stack traces
2.Use LSP to get diagnostics for all files
3.Search web for error message patterns
4.Identify affected code paths
### Phase 2: Root Cause Analysis
-Use **ultrathink** to reason about:
-Data flow leading to error
-Type mismatches or undefined values
-Race conditions or timing issues
-Configuration or environment factors
### Phase 3: Solution
1.Propose fix with explanation
2.Add defensive checks
3.Suggest tests to prevent regression
## LSP Operations to Use
```bash
# Get all diagnostics
LSP tool: getDiagnostics
# Find symbol definitions
LSP tool: goToDefinition
# Find all references
LSP tool: findReferences
# Get type information
LSP tool: hover
#### Step 3 : Launch Debug Session
```bash
claudePrompt template :
Use debugger sub-agent with ultrathink:
Error in production:TypeError: Cannot read property ‘name’ of undefined at UserProfile.render (UserProfile.tsx:45:18) at updateComponent (react-dom.js:12345)
Stack trace shows error at line 45 but root cause unclear.
Steps:
1. Use LSP getDiagnostics on UserProfile.tsx
2. Use LSP findReferences for the problematic property
3. Search web for similar React TypeError patterns
4. Analyze data flow with ultrathink
5. Identify root cause and propose fix📊 Real Output Example
Source : https://github.com/ktnyt/cclsp
Step 1 : LSP Diagnostics
Claude: Let me check for errors using LSP
> Using cclsp.get_diagnostics on UserProfile.tsx
Results:
Found 3 diagnostics:
- Error [TS2304]: Cannot find name 'userData' (Line 10, Column 5)
- Warning [no-unused-vars]: 'config' is defined but never used (Line 25)
- Hint: 'user' may be undefined before access (Line 45)Step 2 : Extended Thinking
`<thinking>`
The hint on line 45 is key. Let me trace the data flow:
1. Component receives `userData` prop (line 10 error suggests it's undefined)
2. Line 45 tries to access `userData.name`
3. Error happens when userData is undefined
Need to find where userData comes from...
</thinking>Step 3 : LSP Find References
Claude: Let me find all references to userData
> Using cclsp.find_references with symbol_name="userData"
Found 5 references:
- UserProfile.tsx:10:1 (prop definition)
- UserProfile.tsx:45:15 (error location)
- UserList.tsx:78:8 (passes userData)
- api/users.ts:56:10 (fetches userData)
- App.tsx:123:5 (conditional render)Step 4 : Web Search
Claude: Searching for similar React patterns
> Using web_search: "React TypeError undefined property async data fetch"
Top result: Common pattern when component renders before async data loads.
Solution: Add null check or loading state.Step 5 : Root Cause + Fix
## Root Cause Identified
**Issue:** Component renders before userData loads from API.
**Location:** UserList.tsx:78 passes userData without checking if fetch completed
**Why LSP Helped:**
-getDiagnostics showed the exact line with undefined hint
-findReferences revealed the data flow path
-Confirmed UserList passes data before API resolves
## Proposed Fix
```tsx
// UserProfile.tsx - Add defensive check
const UserProfile = ({ userData }) => {
// Fix: Add loading state check
if (!userData) {
return<LoadingSpinner />;
}
return (
<div className="profile">
<h1>{userData.name}</h1> {/* Now safe */}
`<p>`{userData.email}</p>
</div>
);
};
// UserList.tsx - Fix async handling
const UserList = () => {
const [users, setUsers] = useState([]);
const [loading, setLoading] = useState(true);
useEffect(() => {
fetchUsers().then(data => {
setUsers(data);
setLoading(false); // Fix: Only render after load
});
}, []);
if (loading) return<LoadingSpinner />;
return users.map(user => (
<UserProfile userData={user} key={user.id} />
));
};
### ⚡ Performance Comparison
**Without LSP :**
- Manual grep through files : 30-45 min
- Guess data flow : 60-90 min
- Trial & error fixes : 30-60 min
- **Total : 2-3 hours**
**With LSP + Claude Code :**
- LSP diagnostics : Instant (< 1s)
- Find references : 50ms vs 45s grep
- Understand flow : 5 min (ultrathink)
- Implement fix : 10 min
- **Total : 15-20 minutes**
**Gain : 88% time saved**
### 🎓 Key Learnings
**LSP Superpowers :**
- **Semantic Understanding** : LSP knows types, not just text
- **Instant Diagnostics** : Real-time errors as code changes
- **Precise Navigation** : Go-to-definition, find-references exact
- **Type Information** : Hover shows what properties exist
**Best Practices :**
```bash
# Always start debug with diagnostics
"First, use LSP getDiagnostics on all affected files"
# Use findReferences to understand scope
"Show me all places this variable is used with LSP findReferences"
# Combine with Web Search
"Search for this error message pattern + LSP findings"
# Extended Thinking for complex flows
"ultrathink about the data flow using LSP type information"📚 Next Level
Advanced debugging patterns :
# Race condition debugging
claude "Use LSP + ultrathink to analyze async timing issues in checkout.ts"
# Memory leak investigation
claude "Use LSP findReferences to track object lifecycle in this module"
# Cross-module debugging
claude "LSP trace this function call across 3 microservices"🚀 Use Case #3 : Feature Development End-to-End
🎯 Objectif
Implémenter une feature complète from scratch en suivant le workflow officiel Research → Plan → Implement → Test → Commit.
💰 ROI Estimé
⏱️ Time saved : 8-12h → 2-3h (75% gain)
🎯 Code quality : +40% (fewer bugs)
💵 Cost : ~$5-8 (tokens for full feature)
✅ Value : $800-1200 (dev time saved)
🔧 Stack utilisé
1. Web Search (OAuth providers docs)
2. Plan Mode (structured approach)
3. Extended Thinking (architecture decisions)
4. Multi-file Edits (coordinated changes)
5. Testing Automation
6. Git Integration📋 Step-by-Step Workflow
Phase 1 : Research
Source : https://www.anthropic.com/engineering/claude-code-best-practices
Note
Citation officielle
“Steps #1-#2 are crucial—without them, Claude tends to jump straight to coding a solution. Asking Claude to research and plan first significantly improves performance for problems requiring deeper thinking upfront.”
claude --permission-mode planPrompt :
Research Task: OAuth 2.0 Authentication Implementation
Requirements:
- Add OAuth login for Google and GitHub providers
- Secure token storage
- Refresh token handling
- Session management
ultrathink and research:
1. Search web for OAuth 2.0 best practices 2025
2. Read our existing auth system (@src/auth/)
3. Search for OAuth library comparisons
4. Find security considerations
5. Summarize findings in research.mdOutput : research.md
# OAuth Implementation Research
## Current System Analysis
-Express.js backend
-PostgreSQL database
-JWT for session management
-Basic email/password auth
## OAuth Providers Comparison
### Google OAuth 2.0
**Pros:**
-Most users have Google accounts
-Well-documented
-Reliable uptime
### GitHub OAuth
**Pros:**
-Developer-friendly
-Simple flow
-Good for tech products
## Recommended Libraries
**Winner: `passport-oauth2` + provider strategies**
Reasons:
-Mature ecosystem
-50K+ weekly downloads
-Active maintenance
-Supports multiple providers
## Security Best Practices (Web Search: 2025)
1.**Use PKCE** (Proof Key for Code Exchange)
2.**Validate state parameter** (CSRF protection)
3.**Secure token storage** (httpOnly cookies)
4.**Short-lived access tokens** (15min)
5.**Refresh token rotation**
## Architecture DecisionClient → OAuth Provider → Callback → Token Exchange → Session
Flow:
1. User clicks "Login with Google"
2. Redirect to Google with state + PKCE
3. Google redirects back with code
4. Exchange code for tokens
5. Store refresh token encrypted
6. Return session JWTPhase 2 : Plan
Command : Already in Plan Mode
Prompt :
Based on research.md, create detailed implementation plan:
Generate plan.md with:
1. File structure
2. Database schema changes
3. API endpoints
4. Security considerations
5. Testing strategy
6. Step-by-step implementation orderOutput : plan.md
# OAuth Implementation Plan
## Database Schema
```sql
-- New tables
CREATE TABLE oauth_providers (
id SERIAL PRIMARY KEY,
provider VARCHAR(50) NOT NULL,
client_id VARCHAR(255) NOT NULL,
client_secret_encrypted TEXT NOT NULL
);
CREATE TABLE user_oauth_connections (
id SERIAL PRIMARY KEY,
user_id INT REFERENCES users(id),
provider VARCHAR(50) NOT NULL,
provider_user_id VARCHAR(255) NOT NULL,
access_token_encrypted TEXT,
refresh_token_encrypted TEXT,
expires_at TIMESTAMP,
created_at TIMESTAMP DEFAULT NOW()
);File Structure
src/
├── auth/
│ ├── oauth/
│ │ ├── strategies/
│ │ │ ├── google.strategy.ts # NEW
│ │ │ └── github.strategy.ts # NEW
│ │ ├── oauth.controller.ts # NEW
│ │ ├── oauth.service.ts # NEW
│ │ └── oauth.middleware.ts # NEW
│ ├── auth.service.ts # UPDATE
│ └── auth.controller.ts # UPDATE
├── config/
│ └── oauth.config.ts # NEW
└── utils/
└── crypto.util.ts # NEW (token encryption)API Endpoints
GET /auth/oauth/:provider/login # Initiate OAuth flow
GET /auth/oauth/:provider/callback # Handle OAuth callback
POST /auth/oauth/:provider/refresh # Refresh tokens
GET /auth/oauth/connections # List user's connectionsImplementation Order
Phase 1: Database & Config (Day 1)
Create migration for new tables
Add oauth config with env vars
Create crypto utility for encryption
Phase 2: OAuth Strategies (Day 1-2)
Implement Google OAuth strategy
Implement GitHub OAuth strategy
Add PKCE support
State validation
Phase 3: Service Layer (Day 2)
OAuth service (token exchange)
User linking logic
Refresh token rotation
Phase 4: API Endpoints (Day 2-3)
OAuth controllers
Callback handling
Error handling
Phase 5: Testing (Day 3)
Unit tests for strategies
Integration tests for flow
Security tests
Phase 6: Frontend Integration (Day 4)
OAuth buttons
Callback handling
Error states
#### Phase 3 : Implementation
**Prompt :**Execute plan.md step by step:
Start with Phase 1 (Database & Config) - Create all files - Run migrations - Confirm each step before moving to next phase
Use multi-file edits for coordinated changes.
Claude will execute :
```bash
[Creating migration file...]
[Executing migration...]
✓ Database schema updated
[Creating oauth.config.ts...]
[Creating crypto.util.ts...]
✓ Phase 1 complete
[Creating google.strategy.ts...]
[Creating github.strategy.ts...]
[Implementing PKCE...]
✓ Phase 2 complete
...Phase 4 : Testing
Prompt :
Implement comprehensive tests:
1. Unit tests for each OAuth strategy
2. Integration tests for full flow
3. Security tests (CSRF, token validation)
4. Run all tests and fix any failuresOutput :
✓ google.strategy.test.ts - 15 tests passing
✓ github.strategy.test.ts - 15 tests passing
✓ oauth.flow.test.ts - 23 tests passing
✓ security.test.ts - 12 tests passing
Total: 65/65 tests passing
Coverage: 94%Phase 5 : Commit
Source : https://www.anthropic.com/engineering/claude-code-best-practices
Note
Citation officielle
“Many Anthropic engineers use Claude for 90%+ of our git interactions: searching git history, writing commit messages, handling complex git operations like reverting files, resolving rebase conflicts, and comparing patches.”
Prompt :
Review all changes and create git commit:
1. Show me a diff summary
2. Generate descriptive commit message
3. Create commit
4. Suggest PR descriptionOutput :
# Diff summary
Files changed: 18
Additions: +847
Deletions: -12
# Commit
git commit -m "feat: Add OAuth 2.0 authentication for Google and GitHub
- Implement OAuth strategies with PKCE support
- Add secure token storage with encryption
- Create API endpoints for OAuth flow
- Add comprehensive test coverage (65 tests)
- Update auth service to support OAuth linking
Security:
- PKCE prevents code interception
- State parameter validates requests
- Refresh token rotation enabled
- Tokens encrypted at rest
Breaking changes: None
"
# PR description generated
Title: Add OAuth 2.0 Authentication
## Overview
Adds OAuth login support for Google and GitHub providers with full security best practices.
## Changes
- New OAuth strategies with PKCE
- Secure token management
- Database schema updates
- API endpoints
- 65 tests (94% coverage)
## Testing
- [x] Unit tests pass
- [x] Integration tests pass
- [x] Security tests pass
- [x] Manual testing on staging
## Security Review
✓ PKCE implemented
✓ State validation
✓ Token encryption
✓ Refresh rotation⚡ Performance Metrics
Traditional Development : - Research : 2-3 hours - Planning : 1-2 hours - Implementation : 4-6 hours - Testing : 1-2 hours - Code review fixes : 1-2 hours - Total : 9-15 hours
With Claude Code (Research→Plan→Implement) : - Research : 15 minutes - Planning : 20 minutes - Implementation : 1.5-2 hours - Testing : 30 minutes - Git operations : 5 minutes - Total : 2.5-3 hours
Gain : 70-80% time saved
Source : https://www.anthropic.com/engineering/claude-code-best-practices
🎓 Key Learnings
The Research→Plan→Implement Workflow Works :
Note
Citation officielle
“Performance: Without research/plan 2-3h, with research/plan 45min (70% time saved)”
Critical Success Factors :
Don’t skip research : Jump to coding = poor architecture
Plan in detail : Vague plans = implementation confusion
Extended Thinking : Use ultrathink for complex decisions
Web Search : Get current best practices, not outdated training data
Anti-Patterns to Avoid :
❌ Skip research, dive into code
→ Result: Architectural debt, refactoring needed
❌ Vague plan “just implement OAuth”
→ Result: Missed edge cases, security issues
❌ No testing phase
→ Result: Bugs in production
✅ Follow the workflow
→ Result: High-quality, production-ready code
📚 Next Level
Advanced patterns :
# Multi-service feature
claude "Research, plan, and implement webhook system across auth, api, and worker services"
# Refactoring with preservation
claude "Research current architecture, plan refactoring to microservices, implement with zero downtime"
# Performance optimization
claude "Research bottlenecks (use profiling data), plan optimization strategy, implement and benchmark"🔒 Use Case #4 : Security Audit Pipeline
🎯 Objectif
Pipeline de sécurité automatisé : scan, detect, fix vulnerabilities with hooks + MCP + official /security-review command.
💰 ROI Estimé
⏱️ Time saved : 6-8h → 30min (93% gain)
🎯 Vulnerability detection : +200% vs manual review
💵 Cost : ~$3-5 (tokens + scans)
✅ Value : $600-800 (security consultant rate)
🔧 Stack utilisé
1. /security-review (official command)
2. Codacy Guardrails MCP (real-time scanning)
3. PreToolUse Hooks (prevent credential commits)
4. GitHub Actions (automated security)
5. StackHawk DAST (runtime testing)📋 Step-by-Step Setup
Step 1 : Official /security-review Command
Source : https://www.anthropic.com/news/automate-security-reviews-with-claude-code
Note
Citation officielle
“Since setting up the GitHub action, this has already caught security vulnerabilities in our own code and prevented them from being shipped. Last week, our team built a feature that had a remote code execution vulnerability exploitable through DNS rebinding—the GitHub action identified it and it was fixed before the PR was ever merged.”
Usage :
claude
/security-reviewWhat it checks : - SQL Injection - Cross-Site Scripting (XSS) - Authentication bypass - Authorization issues - Insecure cryptography - Command injection - Path traversal - Server-Side Request Forgery (SSRF) - Insecure deserialization
Step 2 : Install Codacy Guardrails MCP
Source : https://blog.codacy.com/equipping-claude-code-with-deterministic-security-guardrails
Setup script :
#!/bin/bash
# setup-codacy-guardrails.sh
# Install Codacy CLI
curl -L https://github.com/codacy/codacy-cli/releases/latest/download/codacy-cli-linux-x86_64 -o /usr/local/bin/codacy
chmod +x /usr/local/bin/codacy
# Get API token from https://app.codacy.com/account/api-tokens
export CODACY_API_TOKEN="your-token-here"
# Install Codacy MCP server
claude mcp add --transport stdio codacy \
--env CODACY_API_TOKEN=$CODACY_API_TOKEN \
-- npx -y @codacy/mcp-server
# Create CLAUDE.md rules
cat > CLAUDE.md << 'EOF'
---
# Codacy Security Rules
## After ANY file edit
- YOU MUST run `codacy_cli_analyze` for edited file
- If issues found, fix immediately
- This is CRITICAL, not optional
## After ANY dependency installation
- IMMEDIATELY run `codacy_cli_analyze` with tool="trivy"
- Check security vulnerabilities
- Stop if vulnerabilities found
## Repository Setup
- Use `git remote -v` to determine provider
- If repo not in Codacy, run `codacy_setup_repository`
---
EOF
echo "✅ Codacy Guardrails installed"How it works :
Note
Citation Codacy blog
“Every line of code gets analyzed as it’s being generated. If there’s a security issue, the AI agent is made aware immediately, and will iterate on that issue until it is fixed.”
Real-time flow :
Claude writes code
↓
Codacy MCP scans
↓
Issues found?
├─ Yes → Claude fixes automatically
└─ No → ContinueStep 3 : Create Security Hooks
File : .claude/settings.json
Source : https://code.claude.com/docs/en/hooks
{
"hooks": {
"PreToolUse": [
{
"matcher": "Edit:.env*|Edit:**/secrets/**|Edit:**/*secret*",
"hooks": [
{
"type": "command",
"command": "bash ~/.claude/hooks/check-secrets.sh",
"timeout": 30
}
]
},
{
"matcher": "Edit:src/auth/**|Edit:**/security/**",
"hooks": [
{
"type": "command",
"command": "bash ~/.claude/hooks/validate-security.sh",
"timeout": 60
}
]
}
],
"PostToolUse": [
{
"matcher": "Edit:*.ts|Edit:*.js|Edit:*.py",
"hooks": [
{
"type": "command",
"command": "codacy analyze ${FILE_PATH}",
"timeout": 120
}
]
}
]
}
}Hook script : ~/.claude/hooks/check-secrets.sh
#!/bin/bash
# Prevent credential commits
# Get tool input
FILE_PATH=$(echo $CLAUDE_TOOL_INPUT | jq -r '.file_path')
# Check for secrets patterns
if grep -E '(password|api[_-]?key|secret|token)\s*=\s*["\047][^"\047]{8,}' "$FILE_PATH"; then
echo "ERROR: Potential secret detected in$FILE_PATH" >&2
echo "Remove hardcoded credentials before continuing" >&2
exit 2 # Block the edit
fi
# Check for common secret formats
if grep -E '(sk-[a-zA-Z0-9]{48}|ghp_[a-zA-Z0-9]{36})' "$FILE_PATH"; then
echo "ERROR: API key pattern detected" >&2
exit 2
fi
echo "✓ No secrets detected"
exit 0Step 4 : GitHub Actions Security
File : .github/workflows/security.yml
Source : https://github.com/anthropics/claude-code-security-review
name: Security Review
on:
pull_request:
types:[opened, synchronize]
push:
branches:[main, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
-uses: actions/checkout@v4
-name: Run Claude Security Review
uses: anthropics/claude-code-security-review@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-opus-4-1-20251201
-name: Post Security Report
if: always()
uses: actions/github-script@v7
with:
script:|
const fs = require('fs');
const report = fs.readFileSync('security-report.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## 🔒 Security Review Report
${report}`
});Step 5 : StackHawk DAST Integration
Source : https://www.stackhawk.com/blog/developers-guide-to-writing-secure-code-with-claude-code/
Setup :
# Sign up at https://www.stackhawk.com ($5/mo Vibe plan)
# Get API key
# Create stackhawk.yml
cat > stackhawk.yml << 'EOF'
app:
applicationId: my-app-production
env: production
host: https://api.example.com
hawk:
spider:
base: true
maxDuration: 5
scanner:
- sql
- xss
- command-injection
- path-traversal
EOF
# Run scan
hawkscanIntegration with Claude :
# In Claude Code
claude "Analyze StackHawk security findings and fix all High/Critical issues"StackHawk output :
Scan Results:
- 1 Critical: SQL Injection in /search endpoint
- 2 High: XSS vulnerabilities in user input
- 3 Medium: Missing security headers
Claude: Let me fix these issues...📊 Real-World Results
Source : https://www.anthropic.com/news/automate-security-reviews-with-claude-code
Note
Real Anthropic Usage
“In another case, an engineer built a proxy system to enable secure management of internal credentials. The GitHub action automatically flagged that this proxy was vulnerable to SSRF attacks, and we promptly fixed this issue.”
Vulnerabilities Caught :
Remote Code Execution (DNS rebinding)
SSRF Attack (proxy vulnerability)
SQL Injection (multiple instances)
XSS (user input not sanitized)
All caught BEFORE merge to production.
⚡ Performance Metrics
Manual Security Review : - Code review : 2-3 hours - SAST scan : 30 minutes - DAST scan : 1 hour - Fix vulnerabilities : 2-3 hours - Re-test : 1 hour - Total : 6-8 hours
Automated with Claude Code : - /security-review : 5 minutes - Codacy real-time : 0 minutes (automatic) - StackHawk DAST : 10 minutes - Auto-fix by Claude : 15 minutes - Total : 30 minutes
Gain : 93% time saved
Detection Rate : - Manual review : 40-60% of vulnerabilities - Automated pipeline : 95%+ of vulnerabilities
🎓 Key Learnings
Layered Security Works :
Layer 1: PreToolUse Hooks (Prevent)
↓ Block secrets before commit
Layer 2: Codacy MCP (Real-time)
↓ Fix issues as code is written
Layer 3: /security-review (Review)
↓ Comprehensive analysis
Layer 4: GitHub Actions (CI)
↓ Automated on every PR
Layer 5: StackHawk DAST (Runtime)
↓ Test running applicationEach layer catches different issues : - Hooks → Configuration errors - MCP → Code-level vulnerabilities - Review → Logic flaws - CI → Regression prevention - DAST → Runtime exploitation
Critical Success Factors :
Hooks prevent : Stop issues before creation
MCP detects : Catch issues during writing
Review analyzes : Deep semantic understanding
CI enforces : Automated gate
DAST validates : Real exploitation testing
📚 Next Level
Advanced security patterns :
# Threat modeling with sub-agents
claude "Spawn security-expert sub-agent to threat model this authentication system"
# Automated penetration testing
claude "Use Puppeteer MCP to perform automated security testing on staging"
# Compliance checking
claude "Check if codebase meets SOC 2 / ISO 27001 requirements"
# Secret rotation
claude "Scan for hardcoded secrets, move to vault, update all references"📊 Use Case #5 : Performance Analysis Multi-Agents
🎯 Objectif
Analyser les performances d’une application avec multiple sub-agents parallèles : profiling, database queries, frontend, API latency.
💰 ROI Estimé
⏱️ Time saved : 5-7h → 45min (87% gain)
🎯 Issues found : 3-4x more than manual
💵 Cost : ~$4-6 (4 sub-agents parallel)
✅ Value : $500-700 (performance consultant)
🔧 Stack utilisé
1. Sub-Agents (4 parallel specialists)
2. Extended Thinking (bottleneck analysis)
3. Web Search (optimization techniques)
4. MCP (database profiling)
5. Benchmarking automation📋 Step-by-Step Setup
Step 1 : Create Performance Sub-Agents
File structure :
~/.claude/agents/
├── performance-profiler.md
├── database-optimizer.md
├── frontend-analyzer.md
└── api-latency-expert.mdAgent 1 : performance-profiler.md
---
name: performance-profiler
description: CPU and memory profiling expert. Analyzes application bottlenecks, memory leaks, and performance metrics. Use for performance optimization tasks.
model: sonnet
tools: Read, Bash, Grep, WebSearch
---
# Performance Profiler Agent
You are an expert in application profiling and optimization.
## Responsibilities
1.**CPU Profiling**
-Run profiling tools (node --prof, py-spy)
-Identify hot paths
-Analyze flame graphs
2.**Memory Analysis**
-Detect memory leaks
-Analyze heap snapshots
-Track object allocations
3.**Benchmarking**
-Create performance benchmarks
-Compare before/after
-Generate reports
## Tools to Use
```bash
# Node.js profiling
node --prof app.js
node --prof-process isolate-*.log > processed.txt
# Python profiling
py-spy record -o profile.svg -- python app.py
# Memory analysis
node --expose-gc --inspect app.js
**Agent 2 : database-optimizer.md**
```markdown
---
name: database-optimizer
description: Database query optimization specialist. Analyzes slow queries, indexes, and database performance. Use when optimizing database operations.
model: sonnet
tools: Read, Bash, WebSearch
---
# Database Optimizer Agent
Expert in SQL optimization and database performance.
## Analysis Steps
1. **Identify Slow Queries**
- Query execution times
- Explain plans
- Index usage
2. **Optimize**
- Add missing indexes
- Rewrite inefficient queries
- Suggest denormalization when needed
3. **Benchmark**
- Before/after comparison
- Load testing results
## SQL Analysis
```sql
-- Get slow queries
EXPLAIN ANALYZE
SELECT ...;
-- Check index usage
SELECT * FROM pg_stat_user_indexes;
-- Missing indexes
SELECT
schemaname,
tablename,
attname
FROM pg_stats
WHERE correlation < 0.1;
**Agent 3 : frontend-analyzer.md**
```markdown
---
name: frontend-analyzer
description: Frontend performance expert. Analyzes bundle size, render performance, and Core Web Vitals. Use for frontend optimization.
model: sonnet
tools: Read, Bash, Grep, WebSearch
---
# Frontend Performance Analyzer
Expert in frontend optimization and Core Web Vitals.
## Metrics to Analyze
1. **Bundle Size**
- Total size
- Code splitting opportunities
- Lazy loading
2. **Core Web Vitals**
- LCP (Largest Contentful Paint)
- FID (First Input Delay)
- CLS (Cumulative Layout Shift)
3. **Rendering**
- Component re-renders
- Virtual DOM performance
- Reconciliation bottlenecks
## Tools
```bash
# Bundle analysis
npm run build -- --stats
webpack-bundle-analyzer dist/stats.json
# Lighthouse CI
lhci autorun
# React DevTools Profiler data analysis
**Agent 4 : api-latency-expert.md**
```markdown
---
name: api-latency-expert
description: API performance specialist. Analyzes endpoint latency, N+1 queries, and API optimization. Use for backend API performance.
model: sonnet
tools: Read, Bash, WebSearch
---
# API Latency Expert
Expert in API performance optimization.
## Analysis Focus
1. **Endpoint Latency**
- Response time distribution
- P50, P95, P99 percentiles
- Slow endpoints identification
2. **N+1 Query Detection**
- ORM query analysis
- Eager loading opportunities
3. **Caching Strategy**
- Cache hit rates
- Cache invalidation
- Redis/Memcached optimization
## Tools
```bash
# API load testing
artillery run load-test.yml
# Trace analysis
jaeger-all-in-one
# Cache analysis
redis-cli --stat
#### Step 2 : Launch Parallel Analysis
**Prompt :**Comprehensive Performance Analysis - Spawn 4 Parallel Sub-Agents:
performance-profiler: Analyze CPU and memory usage
database-optimizer: Find slow queries and missing indexes
frontend-analyzer: Check bundle size and Core Web Vitals
api-latency-expert: Measure endpoint latency and N+1 queries
Each agent should: - Run their specific analysis - Use web search for latest optimization techniques - Generate findings report - Suggest concrete fixes with code examples
After all agents complete, consolidate findings into master performance report.
### 📊 Real Output Example
**Agent 1 : Performance Profiler Report**
```markdown
# CPU & Memory Analysis Report
## CPU Hotspots
**Top 3 Functions by Time:**
1. `processPayment()` - 42% of CPU time
- Location: src/payments/processor.ts:156
- Issue: Synchronous crypto operations
- Fix: Use worker threads
2. `validateUser()` - 28% of CPU time
- Location: src/auth/validator.ts:89
- Issue: Regex in loop
- Fix: Compile regex once, cache results
3. `serializeResponse()` - 18% of CPU time
- Location: src/api/serializer.ts:234
- Issue: Deep object cloning
- Fix: Use structuredClone() or shallow copy
## Memory Leaks
**Detected 2 leaks:**
1. Event listeners not removed
- File: src/websocket/handler.ts
- Growing: +5MB per connection
- Fix: Add removeEventListener in cleanup
2. Cache without TTL
- File: src/cache/memory-cache.ts
- Growing: unbounded
- Fix: Add LRU eviction policyAgent 2 : Database Optimizer Report
# Database Performance Report
## Slow Queries (>100ms)
### Query 1: User Search (avg 450ms)
```sql
-- BEFORE
SELECT * FROM users
WHERE email LIKE '%@example.com%'
AND status = 'active';
-- ISSUE: Full table scan, LIKE with leading wildcard
-- FIX: Add GIN index for email patterns
CREATE INDEX idx_users_email_trgm
ON users USING gin(email gin_trgm_ops);
-- RESULT: 450ms → 12ms (97% faster)Query 2: Order History (avg 280ms)
-- BEFORE
SELECT * FROM orders o
LEFT JOIN order_items oi ON o.id = oi.order_id
LEFT JOIN products p ON oi.product_id = p.id
WHERE o.user_id = $1;
-- ISSUE: Missing index on user_id
-- FIX: Composite index
CREATE INDEX idx_orders_user_created
ON orders(user_id, created_at DESC);
-- RESULT: 280ms → 18ms (94% faster)N+1 Query Detected
Location: src/api/users.controller.ts
// BEFORE (N+1 problem)
const users = await User.findAll();
for (const user of users) {
user.orders = await Order.findByUser(user.id); // N queries!
}
// FIX: Eager loading
const users = await User.findAll({
include: [{ model: Order }]
});
// RESULT: 1 + N queries → 1 query (100N% faster for N users)
**Agent 3 : Frontend Analyzer Report**
```markdown
# Frontend Performance Report
## Bundle Analysis
**Total Size:** 2.8 MB (too large!)
**Breakdown:**
- Vendor: 1.9 MB (68%)
- moment.js: 524 KB ❌ (use date-fns instead)
- lodash: 487 KB ❌ (use lodash-es with tree-shaking)
- react-icons: 312 KB ❌ (import specific icons only)
- App code: 900 KB
**Code Splitting Opportunities:**
```javascript
// BEFORE: Everything in main bundle
import { AdminPanel } from './admin';
// FIX: Lazy load admin
const AdminPanel = lazy(() => import('./admin'));
// RESULT: Main bundle 2.8MB → 1.1MB (61% reduction)Core Web Vitals
Current Scores: - LCP: 4.2s ❌ (target: <2.5s) - FID: 180ms ⚠️ (target: <100ms) - CLS: 0.15 ⚠️ (target: <0.1)
LCP Optimization:
<!-- BEFORE: Large hero image not optimized -->
<img src="/hero.jpg" alt="Hero">
<!-- FIX: Responsive images + preload -->
<link rel="preload" as="image" href="/hero-800w.webp"
imagesrcset="/hero-800w.webp 800w, /hero-1200w.webp 1200w">
<img srcset="/hero-800w.webp 800w, /hero-1200w.webp 1200w"
sizes="(max-width: 800px) 100vw, 1200px"
alt="Hero">
<!-- RESULT: LCP 4.2s → 1.8s (57% faster) -->React Performance
Unnecessary Re-renders: 342 detected in last profile
Fix: Memoization
// BEFORE
const UserList = ({ users }) => {
return users.map(user => <UserCard user={user} />);
};
// FIX
const UserList = memo(({ users }) => {
return users.map(user => <UserCard key={user.id} user={user} />);
});
const UserCard = memo(({ user }) => {
// Component definition
});
// RESULT: Re-renders 342 → 12 (96% reduction)
**Agent 4 : API Latency Expert Report**
```markdown
# API Performance Report
## Endpoint Latency Distribution
**Top 5 Slowest Endpoints:**
| Endpoint | P50 | P95 | P99 | Max |
|----------|-----|-----|-----|-----|
| POST /checkout | 280ms | 1.2s | 3.4s | 8.2s ❌ |
| GET /dashboard | 150ms | 450ms | 890ms | 2.1s ⚠️ |
| GET /search | 95ms | 380ms | 720ms | 1.8s ⚠️ |
## Checkout Endpoint Optimization
**Issue:** Synchronous payment processing + email sending
```typescript
// BEFORE
app.post('/checkout', async (req, res) => {
const order = await createOrder(req.body);
await processPayment(order); // 200ms
await sendConfirmationEmail(order); // 150ms
await updateInventory(order); // 80ms
return res.json(order);
});
// Total: 430ms+ synchronous
// FIX: Async processing
app.post('/checkout', async (req, res) => {
const order = await createOrder(req.body);
// Return immediately
res.json(order);
// Process async
queue.add('process-order', {
orderId: order.id,
tasks: ['payment', 'email', 'inventory']
});
});
// Response time: 35ms (92% faster)Caching Strategy
Cache Hit Rates: - Product catalog: 45% ❌ (target: >80%) - User sessions: 78% ⚠️ - API responses: 12% ❌
Fix: Add Redis caching
// BEFORE
app.get('/products/:id', async (req, res) => {
const product = await db.products.findById(req.params.id);
res.json(product);
});
// FIX
app.get('/products/:id', async (req, res) => {
const cacheKey = `product:${req.params.id}`;
// Try cache first
let product = await redis.get(cacheKey);
if (!product) {
// Cache miss
product = await db.products.findById(req.params.id);
await redis.setex(cacheKey, 3600, JSON.stringify(product));
} else {
product = JSON.parse(product);
}
res.json(product);
});
// RESULT: Hit rate 45% → 89%, P95 latency 280ms → 8ms
**Master Consolidated Report**
```markdown
# 🚀 Master Performance Optimization Report
## Executive Summary
**Total Issues Found:** 23
- Critical: 4
- High: 8
- Medium: 11
**Estimated Improvement:** 300-400% performance gain
## Critical Fixes (Implement First)
### 1. Database N+1 Queries
**Impact:** 100x slowdown on user endpoints
**Fix:** Eager loading (1 line change)
**Effort:** 15 minutes
### 2. Bundle Size Reduction
**Impact:** 61% faster initial load
**Fix:** Code splitting + tree-shaking
**Effort:** 2 hours
### 3. Async Checkout Processing
**Impact:** 92% faster checkout response
**Fix:** Background job queue
**Effort:** 3 hours
### 4. Memory Leaks
**Impact:** Server crashes under load
**Fix:** Event listener cleanup
**Effort:** 30 minutes
## Implementation Priority
**Week 1 (Quick Wins):**
1. Fix N+1 queries (15 min)
2. Fix memory leaks (30 min)
3. Add database indexes (1 hour)
4. Replace moment.js with date-fns (1 hour)
**Week 2 (Medium Effort):**
5. Implement Redis caching (3 hours)
6. Code splitting (2 hours)
7. Image optimization (2 hours)
**Week 3 (Infrastructure):**
8. Background job queue (4 hours)
9. CDN setup (2 hours)
10. Monitoring dashboards (3 hours)
## Expected Results
**Before Optimization:**
- Homepage load: 4.2s
- API P95: 1.2s
- DB queries: 150ms avg
- Bundle: 2.8 MB
- Memory: Growing 5MB/hour
**After Optimization:**
- Homepage load: 1.2s (72% faster) ✅
- API P95: 180ms (85% faster) ✅
- DB queries: 15ms avg (90% faster) ✅
- Bundle: 890 KB (68% smaller) ✅
- Memory: Stable ✅
**Business Impact:**
- +25% conversion rate (faster checkout)
- -40% server costs (better efficiency)
- +15% SEO ranking (Core Web Vitals)⚡ Performance Metrics
Manual Performance Analysis : - Profiling : 1-2 hours - Database analysis : 1-2 hours - Frontend audit : 1-2 hours - API testing : 1 hour - Consolidation : 1 hour - Total : 5-7 hours
With Multi-Agent Approach : - 4 agents work in parallel : 30 minutes - Consolidation : 15 minutes - Total : 45 minutes
Gain : 87% time saved
Quality : - Manual : Finds 6-8 issues - Multi-agent : Finds 20-25 issues - Coverage : 3-4x better
🎓 Key Learnings
Why Multi-Agent Works for Performance :
Parallel Execution : All areas analyzed simultaneously
Specialization : Each agent focuses on their domain
Comprehensive : No area overlooked
Cross-validation : Agents can reference each other’s findings
Pattern :
Main Claude
├─→ Performance Profiler (CPU/Memory)
├─→ Database Optimizer (Queries)
├─→ Frontend Analyzer (Bundle/Vitals)
└─→ API Latency Expert (Endpoints)
↓
Consolidated ReportBest Practices :
# Always give agents clear scope
"performance-profiler: Focus ONLY on CPU and memory, not database"
# Use web search for latest techniques
"Search for 2025 best practices for [optimization type]"
# Require concrete fixes
"Don't just identify issues, provide code examples for fixes"
# Benchmark everything
"Include before/after metrics for all optimizations"📚 Next Level
Advanced performance patterns :
# Cloud infrastructure optimization
claude "Spawn 3 agents: AWS optimizer, Database scaling expert, CDN specialist. Analyze infrastructure costs and performance."
# Real-user monitoring analysis
claude "Spawn sub-agents to analyze RUM data from Datadog, identify user-impacting issues, prioritize by business value."
# Load testing scenarios
claude "Create sub-agents to design load tests, execute with k6, analyze results, recommend scaling strategy."🤖 Use Case #6 : CI/CD Complete Pipeline
🎯 Objectif
Créer un pipeline CI/CD complet from scratch avec GitHub Actions, automated testing, security scanning, et deployment automation.
💰 ROI Estimé
⏱️ Time saved : 12-16h → 1-2h (90% gain)
🎯 Bug prevention : +200% (caught before prod)
💵 Cost : ~$6-8 (extensive automation)
✅ Value : $1200-1600 (DevOps consultant rate)
🔧 Stack utilisé
1. GitHub Actions (official anthropics/claude-code-action)
2. /install-github-app (official setup command)
3. Automated Testing (Claude-generated tests)
4. Security Scanning (/security-review)
5. Deployment Automation (staging + production)
6. Hooks (quality gates)📋 Step-by-Step Setup
Step 1 : Install GitHub App (Official)
Source : https://code.claude.com/docs/en/github-actions
Note
Citation officielle
“The easiest way to set up this action is through Claude Code in the terminal. Just open claude and run /install-github-app.”
claude
/install-github-appWorkflow interactif :
✓ Opening browser for GitHub App installation...
✓ Please authorize the app in your browser
✓ Waiting for authorization...
✓ GitHub App installed successfully!
Next steps:
1. Add ANTHROPIC_API_KEY to repository secrets
2. Configure workflows in .github/workflows/
3. Test with @claude mention in a PRStep 2 : Configure Repository Secrets
In GitHub repository settings :
Settings → Secrets and variables → Actions → New repository secret
Name: ANTHROPIC_API_KEY
Value: sk-ant-api03-...Optional (for AWS/GCP) :
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
GCP_PROJECT_ID
GCP_SERVICE_ACCOUNTStep 3 : Create CI Workflow
File : .github/workflows/ci.yml
Source : https://github.com/anthropics/claude-code-action
name: Continuous Integration
on:
pull_request:
types:[opened, synchronize]
push:
branches:[main, develop]
jobs:
# Job 1: Automated Testing with Claude
test-generation:
runs-on: ubuntu-latest
steps:
-uses: actions/checkout@v4
with:
fetch-depth:0
-name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version:'20'
cache:'npm'
-name: Install dependencies
run: npm ci
-name: Generate Tests with Claude
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-5-20250929
prompt:|
Analyze changed files in this PR:
```bash
git diff origin/${{ github.base_ref }} --name-only
```
For each changed .ts/.js file:
1. Read the file
2. Generate comprehensive Jest tests
3. Include edge cases and error scenarios
4. Aim for 80%+ code coverage
Create tests in __tests__/ directory.
-name: Run Tests
run: npm test -- --coverage
-name: Upload Coverage
uses: codecov/codecov-action@v4
with:
files: ./coverage/lcov.info
# Job 2: Linting & Type Checking
code-quality:
runs-on: ubuntu-latest
steps:
-uses: actions/checkout@v4
-uses: actions/setup-node@v4
with:
node-version:'20'
cache:'npm'
-run: npm ci
-name: ESLint
run: npm run lint
-name: TypeScript
run: npm run type-check
-name: Prettier
run: npm run format:check
# Job 3: Security Review
security:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
-uses: actions/checkout@v4
-name: Claude Security Review
uses: anthropics/claude-code-security-review@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-opus-4-1-20251201
-name: Dependency Audit
run: npm audit --audit-level=high
-name: CodeQL Analysis
uses: github/codeql-action/init@v3
with:
languages: javascript, typescript
-name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
# Job 4: Build & Docker
build:
runs-on: ubuntu-latest
needs:[test-generation, code-quality, security]
steps:
-uses: actions/checkout@v4
-name: Build Application
run: npm run build
-name: Build Docker Image
run:|
docker build -t myapp:${{ github.sha }} .
docker tag myapp:${{ github.sha }} myapp:latest
-name: Push to Registry
if: github.ref == 'refs/heads/main'
run:|
echo ${{ secrets.DOCKER_PASSWORD }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
docker push myapp:${{ github.sha }}
docker push myapp:latestStep 4 : Create CD Workflow (Staging)
File : .github/workflows/deploy-staging.yml
name: Deploy to Staging
on:
push:
branches:[develop]
workflow_dispatch:
jobs:
deploy-staging:
runs-on: ubuntu-latest
environment:
name: staging
url: https://staging.example.com
steps:
-uses: actions/checkout@v4
-name: Deploy with Claude Assistance
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt:|
Deploy application to staging environment:
1. Build Docker image
2. Push to AWS ECR
3. Update ECS task definition
4. Deploy new version
5. Run smoke tests
6. Verify deployment health
AWS credentials available as env vars.
If smoke tests fail, rollback automatically.
claude_args:|
--permission-mode acceptEdits
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
-name: Smoke Tests
run:|
npm run test:e2e -- --env staging
-name: Notify Slack
uses: slackapi/slack-github-action@v1
with:
payload:|
{
"text": "🚀 Staging deployment complete: ${{ github.sha }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Staging Deploy Success*\nCommit: `${{ github.sha }}`\nURL: https://staging.example.com"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}Step 5 : Create CD Workflow (Production)
File : .github/workflows/deploy-production.yml
name: Deploy to Production
on:
push:
tags:
-'v*.*.*'
workflow_dispatch:
inputs:
version:
description:'Version to deploy'
required:true
jobs:
# Pre-deployment checks
pre-deploy-validation:
runs-on: ubuntu-latest
steps:
-uses: actions/checkout@v4
-name: Claude Pre-Deployment Validation
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-opus-4-1-20251201
prompt:|
Pre-deployment validation checklist:
1. ✓ All tests passing in CI
2. ✓ Security scan clean
3. ✓ Staging deployment successful
4. ✓ Database migrations reviewed
5. ✓ Feature flags configured
6. ✓ Rollback plan documented
7. ✓ Monitoring alerts configured
Verify each item and report any blockers.
If ANY item fails, exit with error code.
# Blue-green deployment
deploy-production:
runs-on: ubuntu-latest
needs: pre-deploy-validation
environment:
name: production
url: https://example.com
steps:
-uses: actions/checkout@v4
-name: Deploy with Blue-Green Strategy
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt:|
Execute blue-green deployment to production:
## Phase 1: Prepare Green Environment
1. Deploy new version to green environment
2. Run database migrations (non-destructive)
3. Warm up caches
4. Run comprehensive smoke tests
## Phase 2: Traffic Shift
5. Route 10% traffic to green
6. Monitor error rates for 5 minutes
7. If stable, increase to 50%
8. Monitor for 5 more minutes
9. If stable, route 100% to green
## Phase 3: Cleanup
10. Mark blue as standby
11. Keep blue running for 1 hour (rollback window)
If ANY error rate >0.5%, automatic rollback.
claude_args:|
--permission-mode plan
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-name: Post-Deployment Verification
run:|
npm run test:production-smoke
-name: Create Release Notes
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
prompt:|
Generate release notes for version ${{ github.ref_name }}:
1. List all commits since last tag
2. Categorize: Features, Fixes, Breaking Changes
3. Mention contributors
4. Add deployment time and version
Format as GitHub release notes markdown.
-name: Create GitHub Release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref_name }}
release_name: Release ${{ github.ref_name }}
body_path: ./RELEASE_NOTES.md
-name: Notify Team
uses: slackapi/slack-github-action@v1
with:
payload:|
{
"text": "🎉 Production deployment complete: ${{ github.ref_name }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Production Deploy Success*\nVersion: `${{ github.ref_name }}`\nURL: https://example.com\n\n@channel"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}Step 6 : Interactive PR Reviews
File : .github/workflows/pr-review.yml
name: PR Review Assistant
on:
issue_comment:
types:[created]
pull_request_review_comment:
types:[created]
jobs:
claude-review:
if: contains(github.event.comment.body, '@claude')
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
steps:
-uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
-name: Claude Code Interactive Review
uses: anthropics/claude-code-action@v1
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-5-20250929Step 7 : Quality Gates with Hooks
File : .claude/settings.json
{
"hooks": {
"PreToolUse": [
{
"matcher": "Edit:.github/workflows/**",
"hooks": [
{
"type": "command",
"command": "bash .claude/hooks/validate-workflow.sh",
"timeout": 60
}
]
}
],
"PostToolUse": [
{
"matcher": "Edit:src/**",
"hooks": [
{
"type": "command",
"command": "npm run lint -- ${FILE_PATH}",
"timeout": 30
},
{
"type": "command",
"command": "npm run type-check",
"timeout": 60
}
]
}
],
"UserPromptSubmit": [
{
"matcher": "*",
"hooks": [
{
"type": "command",
"command": "git status --short > /tmp/git-status.txt && echo 'Git Status:' && cat /tmp/git-status.txt"
}
]
}
]
}
}Hook script : .claude/hooks/validate-workflow.sh
#!/bin/bash
# Validate GitHub Actions workflow syntax
WORKFLOW_FILE=$1
# Validate YAML syntax
yamllint "$WORKFLOW_FILE" || {
echo "❌ Invalid YAML syntax" >&2
exit 2
}
# Check for required fields
if !grep -q "name:" "$WORKFLOW_FILE"; then
echo "❌ Missing 'name' field" >&2
exit 2
fi
if !grep -q "on:" "$WORKFLOW_FILE"; then
echo "❌ Missing 'on' trigger" >&2
exit 2
fi
# Security checks
if grep -q "secrets\." "$WORKFLOW_FILE" && !grep -q "\${{ secrets\." "$WORKFLOW_FILE"; then
echo "❌ Hardcoded secret detected" >&2
exit 2
fi
echo "✅ Workflow validation passed"
exit 0📊 Real-World Results
Source : https://medium.com/@itsmybestview/streamlined-ci-cd-pipelines-using-claude-code-github-actions
Note
Real Usage
“Integrating AI into your CI/CD pipeline is no longer a futuristic concept — it’s a practical step you can take today to build better software, faster.”
Metrics from production usage :
Before Claude Code CI/CD : - Pipeline setup : 12-16 hours - Test coverage : 45-60% - Security issues found : 2-3 per release - Deployment time : 45-60 minutes - Failed deployments : 8-12% of releases - Rollback frequency : 2-3 per month
After Claude Code CI/CD : - Pipeline setup : 1-2 hours (automated) - Test coverage : 85-95% (auto-generated tests) - Security issues found : 15-20 (caught in CI) - Deployment time : 12-15 minutes (automated) - Failed deployments : <1% of releases - Rollback frequency : 0-1 per year
⚡ Key Features Demonstrated
1. Automated Test Generation
Source : https://smartscope.blog/en/ai-development/github-actions-automated-testing-claude-code-2025/
Note
Citation
“Achieves 60% faster performance than existing GitHub Actions + manual testing approaches.”
Pattern :
# Claude generates tests for changed files
-name: Generate Tests
run:|
git diff --name-only HEAD~1 | grep -E '\.(js|py)$' | \
xargs -I {} claude code "Generate comprehensive test for {}"2. Interactive PR Reviews
Developer: @claude review this PR for security issues
Claude:
✓ Analyzing 12 changed files...
✓ Found 2 security concerns:
1. SQL Injection risk in src/api/search.ts:45
- Using string concatenation for query
- Recommendation: Use parameterized queries
2. Missing input validation in src/api/users.ts:78
- Email not validated before database insert
- Recommendation: Add Joi validation schema
Would you like me to implement these fixes?3. Automated Security Scanning
Every PR automatically scanned for: - SQL Injection - XSS vulnerabilities - Authentication bypass - Insecure dependencies - Hardcoded secrets - CSRF vulnerabilities
4. Blue-Green Deployments
Zero-downtime deployments with automatic rollback if error rates spike.
5. Release Notes Generation
Claude automatically generates formatted release notes from commit history.
🎓 Key Learnings
CI/CD Best Practices with Claude :
- Always use Plan Mode for deployments
--permission-mode planPrevents accidental destructive operations
Hooks for quality gates
Lint before commit
Test after edit
Validate workflows before push
Progressive deployment strategies
10% → 50% → 100% traffic shift
Monitor error rates at each step
Automatic rollback on issues
Comprehensive testing
Unit tests (auto-generated by Claude)
Integration tests
E2E tests
Security tests
Pattern :
Code Change
↓
PreToolUse Hook (Lint)
↓
PostToolUse Hook (Type check)
↓
Push to GitHub
↓
GitHub Actions (CI)
├─ Claude generates tests
├─ Security scan
├─ Build
└─ Deploy (if main branch)Cost Optimization :
# Only run expensive jobs on important branches
jobs:
expensive-job:
if: github.ref == 'refs/heads/main' || github.event_name == 'pull_request'📚 Next Level
Advanced CI/CD patterns :
# Multi-cloud deployment
claude "Create CI/CD pipeline that deploys to AWS, GCP, and Azure in parallel"
# Canary releases
claude "Implement canary deployment: 5% traffic for 1 hour, then full rollout if stable"
# Database migration automation
claude "Generate GitHub Action that runs database migrations with automatic rollback on failure"
# Performance regression detection
claude "Add step to CI that benchmarks performance and blocks if >10% slower than baseline"🎯 Résumé Exécutif
6 Use Cases - Impact Comparé
Use Case
Time Saved
Cost
Value
Complexity
SEO Audit
90% (6h→20min)
~$3
$500
⭐⭐
LSP Debug
88% (3h→15min)
~$2
$300
⭐⭐⭐
Feature Dev
75% (12h→3h)
~$8
$1200
⭐⭐⭐⭐
Security
93% (8h→30min)
~$5
$800
⭐⭐⭐⭐
Performance
87% (7h→45min)
~$6
$700
⭐⭐⭐⭐⭐
CI/CD
90% (16h→2h)
~$8
$1600
⭐⭐⭐⭐⭐
Total Potential ROI : $5100 value for ~$32 cost = 159x return
Features combinées par use case
SEO Audit:
✓ Skills
✓ Web Search
✓ MCP (Puppeteer)
✓ Plan Mode
✓ Extended Thinking
Bug Investigation:
✓ LSP
✓ Sub-Agents
✓ Extended Thinking
✓ Web Search
Feature Development:
✓ Web Search
✓ Plan Mode
✓ Extended Thinking
✓ Multi-file Edits
✓ Git Integration
Security Audit:
✓ /security-review
✓ MCP (Codacy)
✓ Hooks (PreToolUse)
✓ GitHub Actions
Performance Analysis:
✓ Sub-Agents (4 parallel)
✓ Extended Thinking
✓ Web Search
✓ MCP
CI/CD Pipeline:
✓ GitHub Actions
✓ Hooks
✓ Plan Mode
✓ Automated Testing
✓ Security ScanningPatterns universels
1. Research → Plan → Execute
Fonctionne pour TOUS les use cases complexes
2. Extended Thinking pour décisions
ultrathink = better architecture decisions
3. Web Search pour best practices
Always get current 2025 standards, not 2024 training
4. Hooks pour automation
PreToolUse/PostToolUse = quality gates
5. MCP pour spécialisation
Puppeteer, Codacy, etc. = domain experts
6. Sub-Agents pour parallélisation
4 agents simultanés = 4x faster analysis
💡 Golden Rules
✅ DO: - Research before implementation - Use extended thinking for complex decisions - Combine features (Skills + Web Search + MCP) - Automate with Hooks - Parallelize with Sub-Agents
❌ DON’T: - Jump straight to coding - Skip the planning phase - Ignore web search for current practices - Use manual review when automation exists - Work sequentially when parallelization possible