Hook

Block edits to secret files

A PreToolUse hook that denies any read or write to .env, credentials, and key files — a guardrail against leaking secrets into context or commits.

securitysecretsguardrailpretooluse

Install to

settings.json → hooks.PreToolUse

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Read|Edit|Write",
        "hooks": [
          {
            "type": "command",
            "command": "f=$(jq -r '.tool_input.file_path // empty'); case \"$f\" in *.env|*.env.*|*credentials*|*.pem|*.key|*id_rsa*|*.p12) printf '{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Blocked: secret/credential file. Edit it yourself outside the session.\"}}' ;; esac"
          }
        ]
      }
    ]
  }
}

json · 15 lines

1{
2  "hooks": {
3    "PreToolUse": [
4      {
5        "matcher": "Read|Edit|Write",
6        "hooks": [
7          {
8            "type": "command",
9            "command": "f=$(jq -r '.tool_input.file_path // empty'); case \"$f\" in *.env|*.env.*|*credentials*|*.pem|*.key|*id_rsa*|*.p12) printf '{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Blocked: secret/credential file. Edit it yourself outside the session.\"}}' ;; esac"
10          }
11        ]
12      }
13    ]
14  }
15}

How to install

Open your settings file: ~/.claude/settings.json (user), .claude/settings.json (project, shared), or .claude/settings.local.json (project, private).
Merge the hooks block into it. If a hooks key already exists, add this event to it rather than replacing the whole object.
Hooks live-reload — no restart needed in most cases.
Verify: run /debug to confirm the hook is registered, then trigger the event (e.g. edit a file) and watch it fire.
This hook relies on jq reading the event JSON from stdin — make sure jq is installed.

← More hooks