claude-code/hooks/check-security.py at main · PaulDuvall/claude-code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/env python3
"""PostToolUse hook: detect security violations in modified files.

Delegates analysis to security_checks module. Reads the PostToolUse
JSON event from stdin, checks the written file, and emits a blocking
result when violations are found.
"""

from __future__ import annotations

import json
import os
import sys

sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))

from security_checks import check_security, format_security_violations  # noqa: E402


def main() -> None:
    """Entry point: read PostToolUse event, check file, emit result."""
    try:
        event = json.load(sys.stdin)
    except (json.JSONDecodeError, EOFError):
        sys.exit(0)
    file_path = event.get("tool_input", {}).get("file_path", "")
    if not file_path or not os.path.isfile(file_path):
        sys.exit(0)
    smells = check_security(file_path)
    if smells:
        reason = format_security_violations(file_path, smells)
        print(json.dumps({"decision": "block", "reason": reason}))
    sys.exit(0)


if __name__ == "__main__":
    main()