Secret Scanner Hook
Scans files for leaked credentials, API keys, tokens, and secrets before Claude writes them. Blocks the operation if sensitive data patterns are detected. Prevents accidental secret exposure in code, configs, and documentation.
Hook Type
PreToolUse with Edit|Write matcher -- Intercepts file writes to scan for secrets.
Description
This hook scans the content of every file Claude is about to write or edit, checking for patterns that match common secret formats (API keys, tokens, passwords, private keys). If a secret is detected, the write is blocked before it reaches disk. This prevents accidental secret exposure in source code, configuration files, and documentation.
Patterns/Rules
Detected secret patterns:
- AWS access keys (
AKIA[0-9A-Z]{16}) - AWS secret keys (40-character base64 strings)
- GitHub tokens (
ghp_,gho_,ghu_,ghs_,ghr_) - Generic API keys (
api[_-]?key,apikey) - Private keys (
-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----) - JWT tokens (
eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+) - Database connection strings with passwords
- Generic high-entropy strings that look like secrets
Configuration
Hook Script (scripts/scan-secrets.sh)
#!/bin/bash # scan-secrets.sh -- Scan for leaked secrets in file content INPUT=$(cat) # Get the content being written (new_string for Edit, content for Write) CONTENT=$(echo "$INPUT" | jq -r '.tool_input.new_string // .tool_input.content // empty') FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty') # Skip binary files and lock files if [[ "$FILE_PATH" =~ \.(png|jpg|gif|ico|woff|ttf|lock)$ ]]; then exit 0 fi # Secret patterns (regex) SECRET_PATTERNS=( 'AKIA[0-9A-Z]{16}' # AWS Access Key '[0-9a-zA-Z/+]{40}' # AWS Secret Key (loose) 'ghp_[0-9a-zA-Z]{36}' # GitHub PAT 'gho_[0-9a-zA-Z]{36}' # GitHub OAuth 'sk-[0-9a-zA-Z]{48}' # OpenAI API Key 'sk-ant-[0-9a-zA-Z-]{90,}' # Anthropic API Key '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----' # Private Keys 'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+' # JWT Tokens 'xox[bpars]-[0-9a-zA-Z-]+' # Slack Tokens 'SG\.[0-9a-zA-Z-_]{22}\.[0-9a-zA-Z-_]{43}' # SendGrid API Key 'sk_live_[0-9a-zA-Z]{24,}' # Stripe Secret Key ) for pattern in "${SECRET_PATTERNS[@]}"; do if echo "$CONTENT" | grep -qE "$pattern"; then MATCH=$(echo "$CONTENT" | grep -oE "$pattern" | head -1) # Redact most of the match for safety REDACTED="${MATCH:0:8}...REDACTED" echo "BLOCKED: Potential secret detected in $FILE_PATH" >&2 echo "Pattern: $pattern" >&2 echo "Match: $REDACTED" >&2 echo "Use environment variables instead of hardcoding secrets." >&2 exit 2 fi done exit 0
Settings Configuration
{ "hooks": { "PreToolUse": [ { "matcher": "Edit|Write", "hooks": [ { "type": "command", "command": "bash ./scripts/scan-secrets.sh" } ] } ] } }
Action
Before any Edit or Write:
- Extracts the content being written from the tool input
- Runs regex patterns against the content
- If a secret pattern matches: blocks the write, shows a redacted match, and suggests using environment variables
- If no secrets found: allows the write to proceed
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Pre-Commit Security Scanner
Pre-commit hook that scans staged files for hardcoded secrets, API keys, passwords, and sensitive data patterns before allowing commits.
Agents Md Watcher
Streamline your workflow with this automatically, loads, agents, configuration. Includes structured workflows, validation checks, and reusable patterns for automation.
Automated Build Inspector
Boost productivity using this automatically, trigger, build, processes. Includes structured workflows, validation checks, and reusable patterns for automation.