Security Secret Scanner

Pre-ToolAdvancedHook Type: pre-tool-use

Security Secret Scanner intercepts file writes and git commits to scan for sensitive data patterns. It checks for AWS keys, GitHub tokens, private keys, database connection strings, JWT secrets, and dozens of other credential patterns using regex rules inspired by tools like trufflehog and gitleaks. When a potential secret is detected, it blocks the operation and highlights the exact line and pattern matched. This prevents the most common security incident in development: accidentally committing secrets to version control.

securitysecretsscanningcredentialsprevention

Hook Code

#!/bin/bash
# Security Secret Scanner Hook
# Detects secrets and credentials before they're committed

# Only check Write, Edit, and Bash (git commit)
if [[ "$TOOL_NAME" != "Edit" ]] && [[ "$TOOL_NAME" != "Write" ]] && [[ "$TOOL_NAME" != "Bash" ]]; then
  exit 0
fi

# For Bash, only check git commit
if [[ "$TOOL_NAME" == "Bash" ]] && ! echo "$TOOL_INPUT" | grep -q "git commit"; then
  exit 0
fi

# Secret patterns (regex)
PATTERNS=(
  'AKIA[0-9A-Z]{16}'                          # AWS Access Key
  'ghp_[a-zA-Z0-9]{36}'                       # GitHub PAT
  'sk-[a-zA-Z0-9]{48}'                        # OpenAI/Anthropic API Key
  'sk-ant-api[0-9]{2}-[a-zA-Z0-9_-]{90,}'     # Anthropic Key
  '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' # Private Key
  'postgres://[^\s]+:[^\s]+@'                # DB Connection String
  'mongodb(\+srv)?://[^\s]+:[^\s]+@'        # MongoDB URI
  'xox[boaprs]-[0-9a-zA-Z-]+'                 # Slack Token
  'eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.' # JWT Token
  'AIza[0-9A-Za-z_-]{35}'                     # Google API Key
)

FOUND_SECRETS=0

scan_content() {
  local content="$1"
  local source="$2"
  for pattern in "${PATTERNS[@]}"; do
    MATCH=$(echo "$content" | grep -oE "$pattern" | head -1)
    if [ -n "$MATCH" ]; then
      echo "SECRET DETECTED in $source"
      echo "  Pattern: $pattern"
      echo "  Match: ${MATCH:0:12}...REDACTED"
      FOUND_SECRETS=$((FOUND_SECRETS + 1))
    fi
  done
}

# Scan based on tool type
if [[ "$TOOL_NAME" == "Edit" ]] || [[ "$TOOL_NAME" == "Write" ]]; then
  CONTENT=$(echo "$TOOL_INPUT" | jq -r '.new_string // .content // empty')
  FILE_PATH=$(echo "$TOOL_INPUT" | jq -r '.file_path // .path // "unknown"')
  scan_content "$CONTENT" "$FILE_PATH"
elif [[ "$TOOL_NAME" == "Bash" ]]; then
  STAGED=$(git diff --cached 2>/dev/null)
  scan_content "$STAGED" "staged changes"
fi

if [ $FOUND_SECRETS -gt 0 ]; then
  echo ""
  echo "BLOCKED: $FOUND_SECRETS potential secret(s) found."
  echo "Remove secrets and use environment variables instead."
  exit 1
fi

exit 0

Add this hook to your Claude Code settings or .claude/settings.json to activate.

Terminal Preview

Security Secret Scanner

About Security Secret Scanner

Claude Code hooks let you run custom shell commands automatically in response to specific events during Claude's operation. Security Secret Scanner is a Pre-Tool hook at the Advanced level that automates tasks at key moments in your development workflow, reducing manual steps and enforcing consistency across your team.

Related Hooks

Pre-Commit Lint

Automatically run ESLint and Prettier checks before Claude commits code to catch style issues early.

Branch Protection Guard

Prevent Claude from making direct edits or commits on protected branches like main or production.