efiadm/security-scanning-hooks
.claude/skills/security-scanning-hooks/SKILL.md
Configure security scanning hooks for vulnerability detection and secrets scanning. Uses semgrep, bandit, and gitleaks for automated security analysis on code changes.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add efiadm/informatik-ai-studio security-scanning-hooksInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 12:55 PM48.8s2 files scanned
SKILL.md
- name:
- security-scanning-hooks
- description:
- Configure security scanning hooks for vulnerability detection and secrets scanning. Uses semgrep, bandit, and gitleaks for automated security analysis on code changes.
- version:
- 1.0.0
Security Scanning Hooks
Automated security vulnerability scanning and secrets detection integrated with Claude Code.
Purpose
Add real-time security scanning to catch issues as code is written:
- Semgrep: Multi-language vulnerability detection (OWASP, injection, etc.)
- Bandit: Python-specific security scanner
- Gitleaks: Secrets and credential detection
- Pattern detection: Regex-based hardcoded secrets scanning
When to Invoke
Automatic (via hooks-setup orchestrator)
- After CLAUDE.md is created or modified
- When security requirements are detected
Manual Invocation
- "Set up security scanning"
- "Add vulnerability detection"
- "Scan for secrets in code"
- "Detect hardcoded passwords"
- "Run semgrep/bandit/gitleaks"
Tool Installation
# Semgrep (recommended for all projects)
pip install semgrep
# OR
brew install semgrep
# Bandit (Python projects)
pip install bandit
# Gitleaks (all projects)
brew install gitleaks
# OR download from GitHub releases
Hook Configuration
PostToolUse Security Hook
{
"description": "Security vulnerability and secrets scanning",
"hooks": {
"PostToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{
"type": "command",
"command": "if command -v semgrep >/dev/null 2>&1; then semgrep --config=auto \"$CLAUDE_TOOL_FILE_PATH\" 2>/dev/null || true; fi; if command -v bandit >/dev/null 2>&1 && [[ \"$CLAUDE_TOOL_FILE_PATH\" == *.py ]]; then bandit \"$CLAUDE_TOOL_FILE_PATH\" 2>/dev/null || true; fi; if command -v gitleaks >/dev/null 2>&1; then gitleaks detect --source=\"$CLAUDE_TOOL_FILE_PATH\" --no-git 2>/dev/null || true; fi"
}
]
}
]
}
}
Tool Capabilities
Semgrep
- Multi-language vulnerability detection
- OWASP Top 10 coverage
- SQL injection, XSS, command injection
- Community rules with
--config=auto - Supports: JS, TS, Python, Go, Ruby, Java, and more
Bandit (Python only)
- Python-specific security issues
- Hardcoded passwords detection
- Weak cryptography detection
- Severity ratings
Gitleaks
- Secrets detection across all file types
- API keys, tokens, credentials
- Pattern matching + entropy analysis
- Works without git (
--no-gitflag)
Pattern Detection (Zero Dependencies)
if grep -qE '(password|secret|key|token)\s*=\s*["'\''][^"'\'']{8,}' "$CLAUDE_TOOL_FILE_PATH" 2>/dev/null; then
echo "Warning: Potential hardcoded secrets detected"
fi
Graceful Degradation
The hook checks if each tool is installed before running:
- If a tool isn't installed, it's skipped (no errors)
- Pattern-based detection always runs (no dependencies)
- Minimum: Pattern detection provides basic secrets scanning
Best Practices
- Install recommended tools: semgrep + gitleaks at minimum
- Never block workflow: All commands use
|| true - Review warnings immediately: Don't ignore findings
- Update tools regularly: Security scanners need updates
- Configure ignore files:
.semgrepignore,.gitleaksignore - Test with known vulnerabilities: Verify hooks catch issues
Test Security Hooks
Test secrets detection
// test-secrets.ts
const API_KEY = "sk_test_EXAMPLE_KEY_DO_NOT_USE";
const PASSWORD = "hardcoded_password_123";
Test vulnerability detection (Python)
# test-vuln.py
import os
eval(user_input) # Security issue: eval with user input
Combined Configuration
Combine security scanning with linting in one hook:
{
"hooks": {
"PostToolUse": [
{
"matcher": "Edit|Write",
"hooks": [
{
"type": "command",
"command": "if [[ \"$CLAUDE_TOOL_FILE_PATH\" == *.ts ]]; then npx eslint \"$CLAUDE_TOOL_FILE_PATH\" --fix 2>/dev/null || true; fi; if command -v semgrep >/dev/null 2>&1; then semgrep --config=auto \"$CLAUDE_TOOL_FILE_PATH\" 2>/dev/null || true; fi; if command -v gitleaks >/dev/null 2>&1; then gitleaks detect --source=\"$CLAUDE_TOOL_FILE_PATH\" --no-git 2>/dev/null || true; fi"
}
]
}
]
}
}
Notes
- Security hooks provide warnings, not errors (non-blocking)
- Tools check for installation before running
- For CI/CD, use stricter configurations with blocking failures
- See
references/claude-hook-patterns.mdfor advanced patterns
Related Skills
efiadm/senior-frontend
development
VerifiedTrustedCommunity
Comprehensive frontend development skill for building modern, performant web applications using ReactJS, NextJS, TypeScript, Tailwind CSS. Includes component scaffolding, performance optimization, bundle analysis, and UI best practices. Use when developing frontend features, optimizing performance, implementing UI/UX designs, managing state, or reviewing frontend code.
SKILL.mdUpdated Apr 16, 2026
efiadm/senior-devops
tools
VerifiedTrustedCommunity
Comprehensive DevOps skill for CI/CD, infrastructure automation, containerization, and cloud platforms (AWS, GCP, Azure). Includes pipeline setup, infrastructure as code, deployment automation, and monitoring. Use when setting up pipelines, deploying applications, managing infrastructure, implementing monitoring, or optimizing deployment processes.
SKILL.mdUpdated Apr 16, 2026
efiadm/senior-data-scientist
development
VerifiedTrustedCommunity
World-class data science skill for statistical modeling, experimentation, causal inference, and advanced analytics. Expertise in Python (NumPy, Pandas, Scikit-learn), R, SQL, statistical methods, A/B testing, time series, and business intelligence. Includes experiment design, feature engineering, model evaluation, and stakeholder communication. Use when designing experiments, building predictive models, performing causal analysis, or driving data-driven decisions.
SKILL.mdUpdated Apr 16, 2026
efiadm/senior-data-engineer
development
VerifiedTrustedCommunity
World-class data engineering skill for building scalable data pipelines, ETL/ELT systems, and data infrastructure. Expertise in Python, SQL, Spark, Airflow, dbt, Kafka, and modern data stack. Includes data modeling, pipeline orchestration, data quality, and DataOps. Use when designing data architectures, building data pipelines, optimizing data workflows, or implementing data governance.
SKILL.mdUpdated Apr 16, 2026