Pre-Commit Security Scanner

Hook Type

pre-commit — Runs automatically before every git commit, blocking the commit if security issues are detected.

Overview

A Claude Code hook that scans your staged changes for security vulnerabilities, leaked secrets, and dangerous patterns before they enter your git history. Catches issues like hardcoded API keys, SQL injection, XSS vulnerabilities, insecure dependencies, and misconfigured permissions — preventing costly security incidents at the earliest possible stage.

Why Pre-Commit?

Once secrets or vulnerabilities are committed to git, they exist in the repository history forever (even if deleted later). Pre-commit scanning prevents this by:

• Blocking leaked secrets before they reach remote repositories
• Catching injection vulnerabilities before code review
• Enforcing security patterns automatically across the team
• Reducing security review burden by catching low-hanging fruit

Quick Start

Add to your .claude/hooks.json:

Copy
{
  "hooks": {
    "pre-commit": {
      "command": "claude-code-hook security-scan",
      "description": "Scan staged changes for security issues",
      "blocking": true
    }
  }
}

Patterns Detected

Secrets & Credentials

Pattern	Example	Severity
AWS Access Keys	AKIA[0-9A-Z]{16}	Critical
AWS Secret Keys	40-char base64 strings near AWS context	Critical
GitHub Tokens	ghp_[a-zA-Z0-9]{36}	Critical
GitLab Tokens	glpat-[a-zA-Z0-9\-]{20}	Critical
Slack Tokens	xoxb-, xoxp-, xoxs-	Critical
Google API Keys	AIza[0-9A-Za-z\-_]{35}	Critical
Stripe Keys	sk_live_[a-zA-Z0-9]{24,}	Critical
JWT Secrets	Hardcoded strings in jwt.sign()	Critical
Private Keys	-----BEGIN (RSA|EC|DSA) PRIVATE KEY-----	Critical
Database URLs	postgres://, mongodb:// with credentials	Critical
Generic Passwords	password = "...", passwd, secret assignments	High
API Keys	api_key, apiKey, API_KEY with literal values	High

Detection Examples

Copy
// BLOCKED: Hardcoded AWS credentials
const AWS_ACCESS_KEY = 'AKIAIOSFODNN7EXAMPLE';  // ❌ Critical
const AWS_SECRET_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';  // ❌ Critical

// SAFE: Using environment variables
const AWS_ACCESS_KEY = process.env.AWS_ACCESS_KEY_ID;  // ✅
const AWS_SECRET_KEY = process.env.AWS_SECRET_ACCESS_KEY;  // ✅

Copy
# BLOCKED: Hardcoded database URL with credentials
DATABASE_URL = "postgres://admin:p@[email protected]:5432/prod"  # ❌ Critical

# SAFE: Environment variable
DATABASE_URL = os.environ["DATABASE_URL"]  # ✅

Injection Vulnerabilities

SQL Injection

Copy
// BLOCKED: String concatenation in SQL
const query = `SELECT * FROM users WHERE email = '${email}'`;  // ❌ High
const query = "SELECT * FROM users WHERE id = " + userId;  // ❌ High

// SAFE: Parameterized queries
const query = 'SELECT * FROM users WHERE email = $1';  // ✅
const result = await db.query(query, [email]);

NoSQL Injection

Copy
// BLOCKED: Unsanitized MongoDB query
db.users.find({ username: req.body.username });  // ❌ High (can inject $gt, $ne)

// SAFE: Explicit field validation
const username = String(req.body.username);  // ✅
db.users.find({ username });

Command Injection

Copy
// BLOCKED: Shell command with user input
exec(`convert ${filename} output.png`);  // ❌ Critical
exec('git log --author=' + userName);  // ❌ Critical

// SAFE: Use arrays (no shell interpretation)
execFile('convert', [filename, 'output.png']);  // ✅

XSS (Cross-Site Scripting)

Copy
// BLOCKED: Direct HTML insertion
element.innerHTML = userInput;  // ❌ High
document.write(data);  // ❌ High
$('#content').html(userComment);  // ❌ High

// SAFE: Text content or framework escaping
element.textContent = userInput;  // ✅
// React JSX auto-escapes by default  // ✅

Insecure Configurations

Copy
// BLOCKED: CORS wildcard in production
app.use(cors({ origin: '*' }));  // ❌ Medium

// BLOCKED: Disabled SSL verification
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';  // ❌ High
rejectUnauthorized: false  // ❌ High

// BLOCKED: Weak cryptography
crypto.createHash('md5');  // ❌ Medium (use sha256+)
crypto.createCipher('des', key);  // ❌ High (use aes-256-gcm)

// BLOCKED: Insecure cookie settings
res.cookie('session', token, { httpOnly: false });  // ❌ Medium
res.cookie('session', token, { secure: false });  // ❌ Medium (in production)

File & Permission Issues

Copy
# BLOCKED: Overly permissive file permissions
chmod 777 deploy.sh  # ❌ High
chmod 666 config.yml  # ❌ Medium

# BLOCKED: Sensitive files being committed
.env  # ❌ Critical (should be in .gitignore)
id_rsa  # ❌ Critical
*.pem  # ❌ High
credentials.json  # ❌ Critical

Dangerous Patterns

Copy
// BLOCKED: eval with dynamic input
eval(userInput);  // ❌ Critical
new Function(userCode);  // ❌ High
setTimeout(stringCode, 0);  // ❌ High (when string arg)

// BLOCKED: Prototype pollution
obj[key] = value;  // ❌ Medium (when key is from user input)
Object.assign(target, untrustedSource);  // ⚠️ Warning

// BLOCKED: Insecure deserialization
const data = JSON.parse(untrustedInput);  // ⚠️ Warning (needs validation after)
yaml.load(untrustedInput);  // ❌ High (use yaml.safeLoad)

Severity Levels

Level	Action	Description
Critical	Block commit	Leaked secrets, RCE vulnerabilities, private keys
High	Block commit	Injection vectors, insecure crypto, disabled security
Medium	Warning (allow)	Weak patterns, missing headers, permissive configs
Low	Info only	Style issues, minor improvements

Configuration

Custom Rules

Add project-specific patterns to .claude/security-rules.json:

Copy
{
  "customPatterns": [
    {
      "name": "Internal API Token",
      "pattern": "INTERNAL_[A-Z]+_TOKEN\\s*=\\s*['\"][^'\"]+['\"]",
      "severity": "critical",
      "message": "Hardcoded internal API token detected"
    }
  ],
  "ignorePaths": [
    "**/*.test.ts",
    "**/*.spec.js",
    "**/fixtures/**",
    "**/mocks/**"
  ],
  "ignorePatterns": [
    "EXAMPLE_KEY",
    "test-api-key",
    "dummy-secret"
  ],
  "severityThreshold": "high"
}

Severity Threshold

Control which severity levels block commits:

Copy
{
  "severityThreshold": "critical"  // Only block on critical issues
}

Options: "critical" | "high" (default) | "medium" | "low"

Ignore False Positives

Copy
{
  "ignorePatterns": [
    "AKIAIOSFODNN7EXAMPLE",
    "sk_test_",
    "pk_test_"
  ],
  "ignoreFiles": [
    "docs/examples/auth.md",
    "tests/fixtures/mock-credentials.json"
  ]
}

Output Format

When issues are found:

🔒 Pre-Commit Security Scan
━━━━━━━━━━━━━━━━━━━━━━━━━━

❌ CRITICAL: Hardcoded AWS Access Key
   File: src/config/aws.ts:12
   Pattern: AKIA[0-9A-Z]{16}
   Fix: Use environment variable AWS_ACCESS_KEY_ID

❌ HIGH: SQL Injection vulnerability
   File: src/services/userService.ts:45
   Pattern: String interpolation in SQL query
   Fix: Use parameterized queries with $1, $2 placeholders

⚠️ MEDIUM: CORS wildcard origin
   File: src/app.ts:8
   Pattern: cors({ origin: '*' })
   Fix: Specify allowed origins explicitly

━━━━━━━━━━━━━━━━━━━━━━━━━━
2 critical/high issues found. Commit blocked.
Fix the issues above and try again.

When all clear:

🔒 Pre-Commit Security Scan
━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ No security issues detected (scanned 12 files)

Bypass (Emergency Only)

In rare cases where a false positive blocks a legitimate commit:

Copy
# Skip the security hook (use with caution!)
git commit --no-verify -m "feat: add example credentials in docs"

Warning: Only bypass when you've verified the flagged pattern is a false positive. Add it to ignorePatterns to prevent future false positives.

Integration with CI/CD

While this hook catches issues locally, pair it with CI security scanning for defense in depth:

Copy
# GitHub Actions example
- name: Security Scan
  run: |
    npm audit --audit-level=high
    npx semgrep --config=auto src/

Best Practices

1. Never commit secrets — Use .env files (gitignored) and secret managers
2. Parameterize all queries — Never concatenate user input into queries
3. Validate at boundaries — Sanitize all external input at entry points
4. Use framework defaults — React escaping, Helmet headers, CORS config
5. Keep dependencies updated — Run npm audit regularly
6. Review bypass commits — Track --no-verify usage in CI
7. Layer your defenses — Pre-commit hook + CI scan + code review

Supported Languages

Language	Secret Detection	Injection Analysis	Config Issues
JavaScript/TypeScript	✅	✅	✅
Python	✅	✅	✅
Go	✅	✅	✅
Ruby	✅	✅	✅
Java/Kotlin	✅	✅	✅
PHP	✅	✅	✅
Shell/Bash	✅	✅	✅
YAML/JSON/TOML	✅	—	✅
Dockerfile	✅	—	✅
Terraform/HCL	✅	—	✅