Back to Hooks
Secret Scanner
PreToolUseScans files for accidentally committed secrets, API keys, and credentials before they are written
securitysecretsscanningprevention
Hook Script
#!/bin/bash
# Secret Scanner Hook
# Blocks writes that contain potential secrets or credentials
FILE_PATH="$1"
CONTENT="$2"
# Patterns that indicate secrets
PATTERNS=(
"AKIA[0-9A-Z]{16}"
"sk-[a-zA-Z0-9]{48}"
"sk_live_[a-zA-Z0-9]+"
"ghp_[a-zA-Z0-9]{36}"
"-----BEGIN (RSA|EC|DSA) PRIVATE KEY-----"
"password\s*=\s*['"][^'"]+['"]"
)
for pattern in "${PATTERNS[@]}"; do
if echo "$CONTENT" | grep -qE "$pattern"; then
echo "SECRET DETECTED: Content matches pattern for potential secrets."
echo "Please remove credentials before committing."
echo "Pattern matched: $pattern"
exit 1
fi
done
exit 0
Settings Configuration
{
"hooks": {
"PreToolUse": [
{
"matcher": "Write|Edit",
"command": "./hooks/security-scan.sh"
}
]
}
}How to use
- Create a hooks directory in your project: mkdir hooks
- Save the hook script as hooks/security-scan.sh
- Make it executable: chmod +x hooks/security-scan.sh
- Add the configuration to your Claude Code settings
- Restart Claude Code to apply changes