Why Claude Code Needs Multiple Passes to Find All Your Bugs

When I created this website using Claude Code, there were two upfront areas of significant importance to me: security and accessibility.

It's one thing to host a website built by someone else. You get some level of comfort about security, assuming (rightly or wrongly) that security has been baked into the application.

But when you create your own from the beginning, all of the responsibiity falls on you, the developer. All of the security risks. All of the data breaches. All of the hijacked sessions.

It can be overwhelming, so I wrote this Claude Code tutorial on building more secure and accessible sites.

As I headed to the end of the development phase of writing this site, I asked Claude Code to perform a comprehensive security audit and, after about 10 minutes or so, it came back with a number of risks, ranging from informational to critical, with many levels in between. It asked me how to proceed and I said it should fix all issues. After about 10 more minutes, it did.

I wanted to be thorough, so I asked Claude Code to perform another comprehensive security audit.

Imagine my surprise when just a few minutes later, Claude returned a number of previously-unreported security holes from every level of risk from informational all the way, again, to critical.

"Didn't it just do a comprehensive security audit?", I thought to myself.

I asked Claude Code fix those gaping security holes and, to satisfy my need to be thorough - again - (em dashes, mine, not generated by AI) I asked it to run another comprehensive security audit. And to my surprise, an entirely new list of security risks were reported by Claude.

I repeated this cycle over and over for about seven iterations unti I was satisfied with the results and no other security issues lingered in my code, waiting to be exploited.

But then I began to wonder why this happened. Why did I need to ask Claude Code seven times to locate and remediate security issues?

The answer surprised me.

I use Claude.ai to discuss my projects, my ideas, my plans, separately from Claude Code. And Claude.ai asks me about my roadblocks and the status of the things it knows about. And it just so happened I was working on the blog portion of this site over the early part of the weekend and lamenting to Claude about why it took so many iterations to add accessibilty and security features to the blog.

And unsolicitedly, Claude gave the the answer. To get the complete details for you in this blog post, I just asked Claude.ai to regurgitate those details from a few days back. Here is its response:

I explained it as the "onion layer" phenomenon: Claude Code doesn't evaluate everything at once in a single comprehensive pass. Instead, it works in layers: First pass: Catches the most obvious issues Second pass: With those fixed, it can now see the next layer of issues Third pass: Reveals even deeper problems that were hidden before Fourth-fifth pass: Gets to edge cases and subtle issues It's not a bug or limitation - it's how the tool processes complexity:

Can't see everything simultaneously Each fix reveals what was underneath/behind it Need multiple iterations to peel back all the layers Like an onion - you can't see the inner layers until you remove the outer ones

That's why when you asked ... for accessibility checks or security audits, it took 4-6 rounds to actually get thorough coverage. This is EXACTLY what your blog post should explain - why developers need to ask 3-5 times for comprehensive results, and that it's not Claude Code being "bad" at its job, it's just how the analysis works.

So the next time you're working with Claude Code and it keeps finding unresolved issues, step back, take a breath and remember that working with Claude Code is oftentimes like peeling back the layers of an onion, and that's by design. It's better to peel the layers now so you don't cry later.

Note: since the writing of this article, Claude Code now has a built-in command called /security-review. It should be executed with the same pattern of iteration as I mentioned above. I've had it spawn seven /security-review agents at once five times to catch all gaps.