Claude Code Pre-Commit Security Hook Script
Claude Code hooks are executable scripts that automatically run at specific workflow points, with pre-commit security hooks scanning code for sensitive
What It Is
Claude Code hooks are executable scripts that run automatically at specific points in a development workflow, similar to git hooks but designed to work within Claude’s coding environment. A pre-commit security hook scans code for sensitive information like API keys, passwords, and authentication tokens before allowing a git commit to proceed. The hook is a simple bash script placed in ~/.claude/hooks/pre-commit.sh that uses pattern matching to detect common secret formats. When configured through a CLAUDE.md file, Claude executes this script before any commit operation and blocks the commit if potential secrets are found.
The implementation relies on grep with regular expressions to search for patterns like API_KEY, SECRET, PASSWORD, or OpenAI-style tokens matching sk-[a-zA-Z0-9]{32,}. The script returns a non-zero exit code when matches are found, which signals Claude to halt the commit and report which files contain suspicious content.
Why It Matters
Accidentally committing secrets to version control remains one of the most common security vulnerabilities in software development. Once credentials reach git history, they persist even after deletion, requiring repository rewrites or credential rotation. Automated scanning at the pre-commit stage prevents this entire class of problems before they occur.
Traditional approaches rely on developers remembering security best practices or manually running security tools. Claude Code hooks shift this responsibility to deterministic automation. Unlike asking Claude to “remember” security rules through prompts or instructions, hooks provide enforcement that cannot be bypassed through conversation or forgotten context.
Security teams benefit from standardized scanning across all projects where Claude assists with development. The hook approach works consistently regardless of which developer is using Claude or what they’re working on. Organizations can distribute standard hook configurations that apply security policies uniformly.
Individual developers gain protection from their own mistakes during rapid prototyping or late-night coding sessions when vigilance naturally decreases. The automated check catches issues that might slip past tired eyes or distracted attention.
Getting Started
Create the hook script at ~/.claude/hooks/pre-commit.sh:
#!/bin/bash
# Scan for common secret patterns if grep -rE "(API_KEY|SECRET|PASSWORD|sk-[a-zA-Z0-9]{32,})" --include="*.ts" --include="*.js" .; then
echo "Potential secrets detected - aborting commit"
exit 1
fiMake the script executable with chmod +x ~/.claude/hooks/pre-commit.sh. The --include flags limit scanning to specific file types - adjust these based on project needs. Add --include="*.py" for Python projects or --include="*.env" to catch environment files.
Configure Claude to use the hook by adding this section to the project’s CLAUDE.md file:
## Hooks Run `~/.claude/hooks/pre-commit.sh` before any git commit operation.
If it fails, stop and explain which files contain potential secrets.Claude reads CLAUDE.md as configuration and executes the specified hook before processing commit requests. When the hook detects secrets, Claude reports the findings and refuses to complete the commit.
Customize the regex pattern to match organization-specific secret formats. For AWS keys, add AKIA[0-9A-Z]{16}. For GitHub tokens, include ghp_[a-zA-Z0-9]{36}. The pattern can grow to cover any credential format relevant to the codebase.
Context
Several alternatives exist for pre-commit secret scanning. Git-secrets (https://github.com/awslabs/git-secrets) and gitleaks (https://github.com/gitleaks/gitleaks) offer more sophisticated detection with lower false positive rates. These tools maintain databases of known secret patterns and use entropy analysis to identify high-randomness strings that might be credentials.
Claude Code hooks provide simpler setup with less configuration overhead. The bash script approach requires no additional tool installation or dependency management. However, this simplicity comes with limitations - basic regex matching generates false positives on variable names or comments containing words like “PASSWORD” without actual secrets.
The hook runs only when Claude handles git operations, not when developers commit directly through command line or other tools. Teams need traditional git hooks or CI/CD scanning as complementary layers. Claude hooks work best as an additional safety net rather than the sole security control.
Pattern-based detection misses secrets that don’t follow recognizable formats, like custom API tokens or database passwords without identifying prefixes. More advanced tools use machine learning or entropy scoring to catch these cases, though at the cost of increased complexity and slower scan times.
Related Tips
AgentHandover: AI Skill Builder from Screen Activity
AgentHandover is an AI skill builder that learns from screen activity to automate repetitive tasks, enabling users to train intelligent agents by demonstrating
Codesight: AI-Ready Codebase Structure Generator
Codesight is an AI-ready codebase structure generator that creates organized, well-documented project architectures optimized for AI code assistants and
AI-Powered App Store Connect Submission Tool
An AI-powered tool that streamlines and automates the App Store Connect submission process, helping developers efficiently prepare, validate, and submit iOS