5 automatic guardrails Β· Zero manual commands Β· Open source Β· $0/month
Quick Start Β· How It Works Β· Comparison Β· FAQ Β· Contributing
You're using Claude Code (or Cursor, Copilot, any AI coding agent) and:
- π¨ You once pushed a
.envto GitHub and panicked - π° You worry about leaking client emails, CPF, credit cards
- π€ Your AI agent might commit secrets without you noticing
- π You copy-paste the same
.gitignorefrom project to project, missing things - βοΈ You build LPs/apps and want to prove authorship if someone copies them
- π You don't want to think about security every commit β but you want it always on
This kit gives you 5 automatic guardrails + IP protection that runs silently in the background. You write code, it watches your back.
Built initially for Claude Code but works with any AI coding workflow that uses Bash, Git, and the standard developer toolchain.
Pre-requisites: git, node 18+, python3, gitleaks (optional but recommended), gh CLI authenticated.
# 1. Clone
git clone https://github.com/thidebrito/claude-code-security-kit.git ~/PROJETOS/claude-code-security-kit
# 2. Install (idempotent β safe to re-run)
cd ~/PROJETOS/claude-code-security-kit && bash install.sh
# 3. Restart Claude Code (or your AI agent) and you're protectedThat's it. You never need to run another command. The kit takes over.
graph TB
subgraph "Your Workflow"
A[You write code] --> B[git commit]
B --> C[git push]
C --> D[vercel deploy]
end
subgraph "Layer A β Workflow Guardrails (5 hooks)"
H1[block-secrets-commit<br/>blocks .env in commits]
H2[pii-scan<br/>blocks email/CPF/card]
H3[security-marker-check<br/>auto-applies template to new projects]
H4[pre-deploy-guard<br/>blocks push without Pixel/with secret]
H5[security-session-start<br/>health check at session start]
end
subgraph "Layer B β Project Templates"
T1[Robust .gitignore]
T2[.env.example template]
T3[Pre-commit hook]
T4[.gitleaksignore]
end
subgraph "Layer C β Authorship Proof"
C1[UUID v4 per build]
C2[Invisible watermarks]
C3[SHA-256 manifest]
C4[OpenTimestamps<br/>Bitcoin blockchain]
end
B --> H1
B --> H2
A --> H3
C --> H4
D --> H4
style H1 fill:#ff6b6b,color:#fff
style H2 fill:#ff6b6b,color:#fff
style H3 fill:#4ecdc4,color:#fff
style H4 fill:#ff6b6b,color:#fff
style H5 fill:#95e1d3
| Hook | When | Action |
|---|---|---|
π« block-secrets-commit |
git commit/add/push |
Blocks commit of .env* |
π« pii-scan-hook |
git commit |
Blocks commit with email/CPF/credit card |
π€ security-marker-check |
Editing files in your project folder | Auto-applies template if project is new (β€5 files, <60min old); else just warns |
π« pre-deploy-guard |
git push origin main or vercel deploy --prod |
Blocks push if Pixel ID missing or secret detected; warns if protection-manifest is stale |
π©Ί security-session-start |
Session start | Silent health check; flags unprotected projects |
- 4
.gitignoreflavors (universal, web, react, node) β 120-160 lines each .env.exampletemplate with common services documented (no values)- Pre-commit hook (gitleaks + PII scan)
.gitleaksignoretemplate (suppress known false positives)
Before deploying public landing pages or apps:
node scripts/protect-build.mjs ~/PROJETOS/your-project
# β Generates UUID, watermarks (HTML meta + JS + CSS), SHA-256 manifest
# β Stamps hash on Bitcoin blockchain via OpenTimestamps (free)
# β Saves .ots proof β legally admissible "this existed at this date"If someone clones your LP later, you have cryptographic + blockchain proof of original authorship.
flowchart LR
A[install.sh] --> B[~/.claude/skills/]
A --> C[~/.claude/commands/]
A --> D[~/.claude/scripts/]
A --> E[~/.claude/settings.json<br/>backed up + hooks added]
A --> F[~/.claude/CLAUDE.md<br/>section appended]
G[Project lifecycle] --> H{Action}
H -->|Edit/Write| I[security-marker-check<br/>auto-template if new]
H -->|git commit| J[block-secrets + pii-scan<br/>blocks if risky]
H -->|git push / vercel| K[pre-deploy-guard<br/>blocks if missing checks]
H -->|Session start| L[security-session-start<br/>health check]
style A fill:#4ecdc4,color:#fff
style I fill:#95e1d3
style J fill:#ff6b6b,color:#fff
style K fill:#ff6b6b,color:#fff
style L fill:#95e1d3
~/PROJETOS/claude-code-security-kit/ β cloned repo
βββ install.sh, update.sh β lifecycle
βββ scripts/
β βββ apply-template.sh β apply protection to project
β βββ audit-projects.sh β audit all projects in ecosystem
β βββ secret-scan.sh, pii-scan.sh β scanners
β βββ health-check.sh β 24-check validation
β βββ protect-build.mjs β Layer C pipeline
β βββ vite-plugin-tdb-protect.mjs β Vite integration
βββ templates/ β 7 reusable templates
βββ claude-code-bundle/ β Claude Code files (skill, commands, hooks)
~/.claude/ β installed by install.sh
βββ skills/seguranca-projeto/SKILL.md
βββ commands/secure-{init,audit,protect}.md
βββ scripts/{block-secrets-commit,pii-scan-hook,security-marker-check,pre-deploy-guard,security-session-start}.sh
βββ settings.json β hooks added (backup created)
βββ CLAUDE.md β section appended
| Feature | This kit | Husky | Lefthook | Trufflehog | GitGuardian |
|---|---|---|---|---|---|
| Open source | β MIT | β MIT | β MIT | β AGPL | β Commercial |
| Cost | $0 | $0 | $0 | $0 | $$$ |
| Pre-commit hooks | β | β | β | β | β |
| Secret scanning | β (gitleaks) | β (config yourself) | β (config yourself) | β | β |
| PII scanning (email/CPF/card) | β | β | β | β | β |
| Auto-applies to new projects | β Unique | β | β | β | β |
| Pre-deploy guard | β | β | β | β | β |
| IP authorship proof (blockchain) | β Unique | β | β | β | β |
| Watermarking | β | β | β | β | β |
| Built for AI coding workflows | β Unique | β | β | β | β |
| Templates included | β | β | β | β | β |
| Idempotent install | β | Partial | Partial | N/A | N/A |
TL;DR: Husky/Lefthook are git hook frameworks (you write rules). Trufflehog/GitGuardian are scanners. This kit is a complete out-of-the-box system with hooks + scanners + templates + IP proof, designed specifically for AI-assisted development.
β Hook block-secrets-commit stops it. You see: BLOCKED: tentativa de git add em arquivo .env
β Hook pii-scan-hook blocks commits containing email/CPF/card patterns.
β When you (or Claude Code) edit a file in a brand new project (β€5 files, <60min old), the kit auto-applies the template. Project is born protected.
β node scripts/protect-build.mjs ./your-project adds invisible watermarks + Bitcoin blockchain timestamp. Cryptographic proof of authorship.
β bash scripts/audit-projects.sh β JSON report with secrets in last 50 commits, missing .gitignore, etc.
Does this work without Claude Code?
The Layer A hooks are designed for Claude Code's ~/.claude/settings.json hook system. But:
- Layer B (templates, scripts): work standalone in any environment
- Layer C (protect-build): plain Node.js, no Claude dependency
- Layer A: specific to Claude Code or compatible AI agents
PRs welcome to add adapters for Cursor, Copilot Workspace, etc.
Why blockchain timestamping? Sounds overkill.
OpenTimestamps is free, decentralized, and creates a permanent, tamper-proof record on Bitcoin. The hash of your build is anchored β even years later, you can prove it existed at a specific date.
Combined with watermarks (UUIDs, meta tags), this gives you legally admissible authorship evidence at zero cost.
Will hooks slow down my workflow?
block-secrets-commit: <50mspii-scan-hook: <100ms (regex on staged diff)security-marker-check: <20mspre-deploy-guard: 50ms-2s (depends on if gitleaks runs)security-session-start: <2s (one-time per session)
You won't notice them. They run in the background.
What if a hook blocks something I legitimately need to commit?
Bypass keys (use sparingly):
SKIP_HOOKS=1 git commit -m "..." # bypass pre-commit
SKIP_PREDEPLOY=1 git push origin main # bypass pre-deploy
export SECURITY_MARKER_SKIP=1 # silence warnings for session
export SECURITY_NO_AUTOAPPLY=1 # disable auto-templateIf you bypass often, the hook needs improvement β open an issue.
Do I need to install anything besides this kit?
Required: git, node 18+, python3 (already on macOS/Linux usually)
Recommended: gitleaks (brew install gitleaks on macOS), gh CLI
install.sh checks all of this and tells you what's missing.
Why doesn't it include JavaScript obfuscation?
Conscious decision. Obfuscation:
- Risks breaking real-world integrations (Pixel Meta, payment SDKs, Supabase clients)
- Provides marginal protection (any motivated dev can de-obfuscate)
- Costs you debuggability in production
Watermarks + UUID + blockchain hash give 90% of the IP protection at 0% of the breakage risk. Obfuscation may come as opt-in plugin in v2.
Can I use this on Linux / Windows (WSL)?
- macOS: β fully tested
- Linux: β should work (uses Bash, standard Unix tools)
- Windows:
β οΈ via WSL only (native Windows shell not supported)
Report issues with platform tags so we can fix.
How do I update?
cd ~/PROJETOS/claude-code-security-kit
bash update.shPulls latest from GitHub and re-runs install.sh (idempotent).
Is this maintained?
Yes β initial author actively uses it daily across 25+ projects. PRs and issues are reviewed.
If you find this useful, star the repo so others discover it. β
| Doc | Topic |
|---|---|
| docs/ARCHITECTURE.md | The 4-layer architecture in depth |
| docs/INSTALLATION.md | Detailed install + manual fallback |
| docs/HOOKS.md | Each hook explained |
| docs/COMMANDS.md | /secure-* commands reference |
| docs/TEMPLATES.md | Templates included |
| docs/PROTECT-BUILD.md | Layer C β IP protection deep dive |
| docs/COMPARISON.md | vs alternatives (extended) |
| docs/FAQ.md | Extended FAQ |
| docs/playbooks/rotate-credentials.md | Incident response: rotating leaked credentials |
PRs welcome! See CONTRIBUTING.md.
Quick wins for first-time contributors:
- Add Linux-specific install instructions
- Add adapter for Cursor / Copilot Workspace
- Translate docs (currently English + Portuguese)
- Improve hooks (lower false positive rate in
pii-scan) - Build dashboard (HTML static page showing security status)
If you find a security vulnerability, please don't open a public issue. See SECURITY.md for responsible disclosure.
MIT Β© Contributors. See LICENSE.
- Claude Code by Anthropic β the AI coding agent this kit was built for
- gitleaks β secret scanning engine
- OpenTimestamps β free Bitcoin blockchain timestamping
- The "vibe coding" community pushing AI-assisted development forward
Report an issue Β· Request a feature Β· Discussions
Made with care for developers who care about security.