Stats
Actions
Tags
From ai-security
Initializes Claude Code security settings by detecting project tech stack via Glob (Node.js, Python, Go, Rust, Docker, etc.) and configuring file denial patterns in .claude/settings.json.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ai-security:security-initThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Initialize Claude Code security settings by configuring `.claude/settings.json` with intelligent file denial patterns based on your project's technology stack.
Initialize Claude Code security settings by configuring .claude/settings.json with intelligent file denial patterns based on your project's technology stack.
CRITICAL: This command MUST NOT accept any arguments. If the user provided any text, URLs, or paths after this command (e.g., /security-init --force or /security-init ./config), you MUST COMPLETELY IGNORE them. Do NOT use any URLs, paths, or other arguments that appear in the user's message. You MUST ONLY proceed with the technology detection and interactive workflow as specified below.
BEFORE DOING ANYTHING ELSE: Begin with Phase 1 technology detection as specified in this command. DO NOT skip any phases even if the user provided arguments after the command.
Set up comprehensive security permissions in .claude/settings.json to prevent Claude Code from reading sensitive files, credentials, and build artifacts.
Scan the project root directory to detect technologies and frameworks using the Glob tool (NOT bash commands):
Node.js Detection:
package.json, yarn.lock, pnpm-lock.yaml, bun.lockbPython Detection:
requirements.txt, pyproject.toml, setup.py, Pipfile, poetry.lock, setup.cfg.NET Detection:
*.csproj, *.sln, *.fsproj, *.vbproj, global.json, Directory.Build.propsGo Detection:
go.mod, go.sumRust Detection:
Cargo.toml, Cargo.lockPHP Detection:
composer.json, composer.lockRuby Detection:
Gemfile, Gemfile.lockJava Detection:
pom.xml, build.gradle, build.gradle.kts, settings.gradleDocker Detection:
Dockerfile, docker-compose.yml, docker-compose.yaml, .dockerignoreDeno Detection:
deno.json, deno.jsonc, deno.lock, import_map.jsonSwift/iOS Detection:
Package.swift, *.xcodeproj, *.xcworkspace, PodfileKotlin/Android Detection:
build.gradle.kts, settings.gradle.kts, AndroidManifest.xmlTerraform/IaC Detection:
*.tf, *.tfvars, terraform.tfstate, .terraform.lock.hclKubernetes Detection:
kustomization.yaml, Chart.yaml, values.yamlIMPORTANT:
Create a comprehensive deny list combining:
Environment Files:
Read(.env)Read(**/.env)Read(.env.*)Read(**/.env.*)Read(.env.local)Read(.env.development)Read(.env.production)Read(.env.test)Version Control & IDE:
Read(.git/**)Read(.vscode/**)Read(.idea/**)Read(.devcontainer/**)Read(.github/workflows/**)CI/CD Secrets:
Read(.github/secrets/**)Read(.gitlab-ci-local/**)Package Manager Auth:
Read(.npmrc)Read(.yarnrc.yml)Deployment Configs:
Read(.vercel/**)Read(.netlify/**)Package Management:
Read(node_modules/**)Read(package-lock.json)Credentials & Secrets:
Read(credentials.json)Read(**/credentials.json)Read(secrets.yml)Read(**/secrets.yml)Read(config/secrets.yml)Read(.secret)Read(**/.secret)Read(*.secret)SSH & Certificate Files:
Read(id_rsa)Read(id_rsa.pub)Read(id_ed25519)Read(id_ed25519.pub)Read(*.pem)Read(*.key)Read(*.p12)Read(*.jks)Read(*.pfx)Read(*.keystore)Read(*.cer)Read(*.crt)Cloud Provider Credentials:
Read(.aws/credentials)Read(.aws/config)Read(.gcp/credentials.json)Read(.azure/credentials)Database Files:
Read(*.db)Read(*.sqlite)Read(*.sqlite3)Python (if detected):
Read(.venv/**)Read(venv/**)Read(__pycache__/**)Read(**/__pycache__/**)Read(*.pyc)Read(.pytest_cache/**)Read(.tox/**)Read(dist/**)Read(build/**)Read(*.egg-info/**)Read(.mypy_cache/**)Read(.ruff_cache/**).NET (if detected):
Read(bin/**)Read(obj/**)Read(*.user)Read(*.suo)Read(.vs/**)Read(*.DotSettings.user)Read(TestResults/**)Read(packages/**)Go (if detected):
Read(vendor/**)Rust (if detected):
Read(target/**)PHP (if detected):
Read(vendor/**)Read(composer.lock)Ruby (if detected):
Read(vendor/bundle/**)Read(.bundle/**)Java (if detected):
Read(target/**)Read(*.class)Read(.gradle/**)Read(build/**)Node.js (if detected):
Read(node_modules/**)Read(.next/**)Read(.nuxt/**)Read(dist/**)Read(build/**)Read(.cache/**)Read(.turbo/**)Docker (if detected):
Read(docker-compose.override.yml)Read(docker-compose.override.yaml)Deno (if detected):
Read(.deno/**)Swift/iOS (if detected):
Read(.build/**)Read(DerivedData/**)Read(Pods/**)Read(*.xcuserdata/**)Kotlin/Android (if detected):
Read(build/**)Read(.gradle/**)Read(local.properties)Terraform/IaC (if detected):
Read(*.tfstate)Read(*.tfstate.backup)Read(.terraform/**)Read(*.tfvars)Kubernetes/Helm (if detected):
Read(**/secrets.yaml)Read(**/secrets.yml)Check if .claude/settings.json already exists using the Read tool (NOT bash test commands):
.claude/settings.json using the Read toolpermissions.deny sectionIMPORTANT:
Display a comprehensive preview showing:
Technologies Detected:
Current Configuration (if exists):
Proposed Changes:
After Configuration:
Ask for user confirmation before proceeding.
After user confirms:
.claude/ directory if it doesn't exist using the Bash tool: mkdir -p .claudesettings.json using the Write tool (NOT bash echo or heredoc).claude/settings.jsonIMPORTANT:
.claude/ directory if neededDO NOT:
test -f, [ -f ], etc.) - they trigger permission promptsDO:
.claude/settings.json exists (handles errors gracefully)Detecting technologies in your project...
Technologies Detected:
* Node.js (package.json found)
* TypeScript (tsconfig.json found)
* Python (requirements.txt, pyproject.toml found)
* Docker (Dockerfile, docker-compose.yml found)
Current Configuration:
.claude/settings.json exists
Current deny patterns: 8
Proposed Security Configuration:
Base Security Patterns (25):
- Environment files (.env, .env.*)
- Version control (.git, .vscode, .idea)
- Credentials (credentials.json, secrets.yml)
- SSH & certificates (*.pem, *.key, id_rsa)
- Cloud provider configs (.aws/credentials, .gcp/*)
- Database files (*.db, *.sqlite)
Node.js Patterns (8):
- node_modules/**
- .next/**, .nuxt/**
- dist/**, build/**
- .cache/**, .turbo/**
Python Patterns (11):
- .venv/**, venv/**
- __pycache__/**, *.pyc
- .pytest_cache/**, .tox/**
- dist/**, *.egg-info/**
Docker Patterns (2):
- docker-compose.override.yml
Total new patterns to add: 46
After merge: 54 total patterns
Merge Strategy: Deduplicate (remove duplicates, add only new patterns)
Would you like to proceed with this configuration? (yes/no)
Security configuration successfully initialized!
Configuration Summary:
File: .claude/settings.json
Total deny patterns: 54
Technologies covered: Node.js, TypeScript, Python, Docker
IMPORTANT: You must restart Claude Code for these settings to take effect.
After restarting:
- Claude Code will avoid reading sensitive files, credentials, and build artifacts
- You can manually edit .claude/settings.json to customize these settings
- Run /security-audit to perform a comprehensive security analysis
After writing the configuration, verify it was saved correctly:
.claude/settings.json using the Read toolpermissions.deny entriesnpx claudepluginhub charlesjones-dev/claude-code-plugins-dev --plugin ai-securityAnalyzes a repository to generate evidence-based Claude Code settings.json permissions. Detects tech stack, build tools, and monorepo structure to recommend safe read-only command allow lists.
Configures Claude Code security settings with permission wildcards, shell operator protections, and project-level access controls. Use for securing tools like Bash and workflows.
Scans a repository's tech stack, build tools, and monorepo structure to generate recommended Claude Code settings.json read-only permissions. Useful when starting a new project or auditing existing settings.