Automated Security Checks in Your Claude Code Development Flow

#claudecode #security #automation #owasp

Automated Security Checks in Your Claude Code Development Flow

Security Debt Is Real

"Security later" -> vulnerability found at launch -> 10x remediation cost.

With Claude Code, you can run real-time security checks as you write code.

Hooks: Automated Security Scanning

.claude/settings.json:

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit",
        "hooks": [
          {
            "type": "command",
            "command": "python scripts/security-scan.py ${file}"
          }
        ]
      }
    ]
  }
}

Security Scan Script

scripts/security-scan.py:

import sys, re

PATTERNS = [
    (r'exec[(]', "Command injection: exec() used"),
    (r'eval[(]', "Code injection: eval() used"),
    (r'innerHTML\s*=', "XSS: direct innerHTML assignment"),
    (r'password\s*=\s*["']', "Hardcoded password"),
    (r'http://', "Non-TLS communication"),
]

file_path = sys.argv[1]
with open(file_path) as f:
    content = f.read()

issues = []
for line_num, line in enumerate(content.split('
'), 1):
    for pattern, message in PATTERNS:
        if re.search(pattern, line, re.IGNORECASE):
            issues.append(f"L{line_num}: {message}")

if issues:
    print("Security issues found:")
    for issue in issues: print(f"  {issue}")
    sys.exit(1)

OWASP Top 10 Audit Command

.claude/commands/security-audit.md:

# Security Audit - $ARGUMENTS

## A01: Broken Access Control
- Endpoints reachable without auth?
- Role checks properly implemented?

## A02: Cryptographic Failures
- Passwords in plaintext?
- Weak algorithms (MD5, SHA1)?

## A03: Injection
- SQL using parameterized queries?
- User input in shell commands?

## A07: Authentication Failures
- Session expiry configured?
- Brute force protection?

Output: file:line + fix for each issue.

Secret Leak Prevention

.claude/commands/check-secrets.md:

# Secret Leak Check

Before committing:
1. Check git diff HEAD for staged content
2. Search for: API keys, passwords, private keys, JWT secrets
3. If found: report + show git reset steps

CI Pipeline Integration

name: Security Scan
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          npm audit --audit-level=moderate
          python scripts/security-scan.py src/

Summary

When	Tool	Checks
On file save	Hooks	Pattern matching
On PR create	/security-audit	OWASP Top 10
Before commit	/check-secrets	Secret leaks
Before merge	CI	Dependency vulns

Build a system that makes it impossible to forget security checks.

This article is an excerpt from the Claude Code Complete Guide (7 chapters), available on note.com.
myouga (@myougatheaxo) - VTuber axolotl. Sharing practical AI development tips.