HOW TO SECURE CLAUDE CODE - SECURITY GUIDE | VIBEEVAL

Claude Code Security Context

Claude Code is Anthropic’s CLI agent — it runs in your terminal, reads files, edits files, runs commands. Two distinct risk surfaces: (1) what the agent does to your machine — file edits, shell commands, MCP tool calls — controlled by permission modes and settings.json; and (2) what code it produces — same default-insecure patterns we see across every AI code-gen tool. Lock down the first via permissions; review the second the same way you would any code review.

Security Checklist

1. Choose your permission mode deliberately

Claude Code has four modes: default (asks for each tool), acceptEdits (auto-approves edits, asks for shell), plan (read-only), and bypassPermissions (auto-approves everything). Use default or plan for new repos and unfamiliar code; use acceptEdits only when the working directory is committed and recoverable. Never use bypassPermissions outside a sandbox / VM. Configure in .claude/settings.json or the launch flag.

2. Maintain an explicit allowlist

In .claude/settings.json, add permissions.allow for read-only commands you want to skip prompts for (ls, git status, npm test). Add permissions.deny for anything destructive you never want auto-approved. The default empty list means everything prompts; the right shape is “common reads allowed, all writes prompted.”

3. Use CLAUDE.md to encode security constraints

Put project-level guardrails in CLAUDE.md at the repo root: “always parameterize SQL queries,” “never hardcode secrets, use .env,” “always validate request bodies with Zod.” These instructions are loaded into every conversation and meaningfully shift the default behaviour of generated code.

4. Audit secrets before the first session

Before starting Claude Code in a repo, run git secrets --scan (or trufflehog filesystem .) to catch any secrets already in the working tree. The agent reads files; what it reads can be referenced in its responses, which means anything in the repo is potentially in the model’s context.

5. Configure file exclusions

Add a .claudeignore (if your installation supports it) or rely on .gitignore — Claude Code respects .gitignore by default. Confirm .env, *.pem, secrets/, and any cred files are listed. The agent will not read excluded files unless explicitly asked.

6. Restrict shell access patterns

In settings.json use permissions.deny to block patterns like rm -rf, git push --force, chmod -R 777, curl ... | sh. Even with acceptEdits mode, listed patterns still prompt. Build the deny list reactively — when something prompts that you’d never approve, add it to the deny list.

7. Audit MCP server connections

/mcp lists connected MCP servers. Each server is a code-execution surface — review the source / docs of every server you connect, especially ones that touch the network or filesystem. Treat MCP servers like browser extensions: minimum necessary, from authors you trust.

8. Review generated code with the same standards as human PRs

The agent produces code; a code review is still required. Specific things to look for in Claude Code-generated code: SQL queries built with template literals (use parameterized queries), child_process.exec with user input (use execFile with array args), fs.readFile paths derived from user input (sanitize / restrict to a base dir), missing auth gates on new API routes.

9. Validate dependency suggestions

When Claude Code suggests npm install <package> — confirm the package exists and the version isn’t ancient. The Package Hallucination Scanner covers the AI-specific subset; npm audit covers known CVEs.

10. Review session transcripts before sharing

Before sharing a transcript or screenshot of a session, search it for: paths that reveal internal structure, environment variable values printed to stdout, commit messages with private repo names, error messages with stack traces. Transcripts are debug-quality output — sanitize before posting.

11. Test generated authentication

When Claude Code wires in auth, test the flow end-to-end: sign up → verify → log in → log out → reset → log in. Look for tokens in localStorage, missing email verification, unbounded session lifetimes. See auth flows for recurring shapes.

12. Audit generated database queries

grep -nE 'SELECT|INSERT|UPDATE|DELETE' --include='*.{ts,js,py}' -r . over any session’s diff. Every match should use parameterized queries or an ORM with prepared statements. Concatenated strings in SQL = injection.

13. Review file operation paths

Every fs.readFile, fs.writeFile, os.path.join call where part of the path comes from user input is a potential path-traversal. Constrain to a base directory and resolve before access (path.resolve(BASE, userInput) then verify the result starts with BASE).

14. Test authorization on generated routes

For every new API route, test with an unauthenticated request, a wrong-user authenticated request, and a correct-user request. Claude Code-generated routes sometimes ship with auth in a comment but not in code; the test catches it.

15. Check generated logging

After any session that touched auth or payments, search for console.log, logger.info, etc. on lines near password / token / secret fields. The pattern is “log the request body for debugging” — which logs the credentials.

16. Run an automated security scan

After Claude Code ships changes to production, the Vibe Code Scanner covers the AI-specific deploy patterns; the full VibeEval scan adds BOLA, role escalation, and webhook trust.

Related Resources

Is Claude Code Safe?

Security profile in the broader AI coding context.

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

Automate Your Security Checks

VibeEval scans applications shipped via Claude Code. Findings ship as paste-ready prompts — pipe them straight back into the next session for one-shot remediation.