Claude-Code-Hardened: The Security Hooks That Saved My Public Repos
I almost pushed AWS credentials to GitHub. Twice. Then I built a system that makes it impossible.
Let me tell you about the worst 30 seconds of my development life.
I was working on a deployment pipeline. Claude Code was helping me refactor some infrastructure code. Everything looked clean. I ran git push. And then, in the split second between pressing Enter and the push completing, I saw it in the diff: a database connection string with credentials. Going straight to a public GitHub repo.
I killed the terminal. Rotated the credentials. Checked the remote. The push hadn't completed. I got lucky.
The second time, I wasn't as fast. A private IP address made it into a commit. Not catastrophic, but embarrassing. And a signal that my workflow had a fundamental flaw.
// the problem with ai-assisted development
Claude Code is incredibly productive. It refactors entire codebases, writes deployment configs, handles infrastructure. But it operates with autonomy. It doesn't know which values in your config are secrets and which are safe. It doesn't distinguish between a public repo and a private one. And it can — and will — use --no-verify to skip your pre-commit hooks if it thinks they're in the way.
That last one is the killer. You can have the best pre-commit hooks in the world, and a single --no-verify flag bypasses all of them.
| secrets in commits | blocked (triple-layer scan) |
| --no-verify bypass | blocked |
| force push to main | blocked |
| critical file overwrites | warning + confirmation |
| private IPs/URLs | blocked |
| database URLs | blocked |
// five hooks, zero dependencies
The system is five shell scripts. No Node.js. No Python. No dependencies. Just bash and standard Unix utilities that exist on every system.
- block-no-verify — intercepts any attempt to skip git hooks
- pre-push-secrets-scan — triple-layer detection scanning the entire diff against origin/main
- enforce-branch-policy — prevents destructive operations on protected branches
- protect-critical-files — warns when .env, config files, or secrets are modified
- post-edit-lint-reminder — nudges toward proper formatting after edits
The secrets scan runs three passes: API keys and tokens (sk-, eyJ, password=), private network data (192.168., usernames, email addresses), and config values (DATABASE_URL=, SENDGRID=, VAPID=).
// battle-tested rules included
Beyond the hooks, the repo ships with six rule files covering coding style, security practices, testing standards, git workflow, development pipeline, and performance. These go into your .claude/rules/ directory and shape how Claude Code writes code in your projects.
They're opinionated. Immutability first. TDD mandatory. 80% coverage target. No any types. No swallowed errors. These rules came from 200+ sessions of production development. Every rule exists because ignoring it caused a bug.
One command: curl -fsSL https://raw.githubusercontent.com/renefichtmueller/claude-code-hardened/main/install.sh | bash
GitHub — MIT licensed.