Overview
The earliest a vulnerability can be prevented is before code is written at all. Asymptote’s Secure by Design mode injects your organization’s active security policies into your AI coding agent’s context at the start of every session, so the agent is security-aware from the first prompt. Rather than waiting to catch insecure code after it’s generated, Secure by Design shapes what gets generated in the first place.How It Works
Whensecure-by-design is enabled via the Asymptote CLI config, Asymptote injects your active security policies into Claude Code’s context during the UserPromptSubmit hook. This means:
- Claude receives your organization’s security requirements before writing any code
- Policy-aware generation reduces the number of violations that need to be caught and remediated downstream
- Guardrails at code generation time have more context to work with, improving signal quality
Enabling Secure by Design
Use theasym config command to enable the setting:
secure-by-design setting.
Supported Agents
Secure by Design currently works with Claude Code. Support is scoped to agents that expose aUserPromptSubmit hook, which allows Asymptote to inject context before the agent begins processing.
Relationship to Other SDLC Stages
Secure by Design is the earliest point in the pipeline. Policies injected at the design stage complement the enforcement that happens downstream:| Stage | When | What Asymptote Does |
|---|---|---|
| Secure by Design | Before code is written | Injects security policies into the agent’s context at session start |
| Code Generation | As code is written | Scans diffs in real time and flags violations |
| CI / Pull Requests | When a PR is opened | Reviews the full diff and blocks merge on violations |
| Pre-production Testing | Before deploying | Whitebox agentic pentesting |
| Async Scans | On demand or scheduled | Full policy sweep across the codebase |