Loading...
Performs a comprehensive security audit of all dependencies when session ends
{
"hookConfig": {
"hooks": {
"stop": {
"script": "./.claude/hooks/dependency-security-audit-on-stop.sh"
}
}
},
"scriptContent": "#!/usr/bin/env bash\n\necho \"🔒 DEPENDENCY SECURITY AUDIT\" >&2\necho \"===========================\" >&2\n\n# Generate timestamp for report\nTIMESTAMP=$(date +%Y%m%d_%H%M%S)\nREPORT_FILE=\"security-audit-$TIMESTAMP.log\"\n\n# Initialize report\necho \"Dependency Security Audit Report - $TIMESTAMP\" > \"$REPORT_FILE\"\necho \"=============================================\" >> \"$REPORT_FILE\"\necho \"\" >> \"$REPORT_FILE\"\n\n# Node.js projects (NPM)\nif [ -f \"package-lock.json\" ]; then\n echo \"📦 NPM Project Detected - Running audit...\" >&2\n echo \"NPM AUDIT RESULTS\" >> \"$REPORT_FILE\"\n echo \"-----------------\" >> \"$REPORT_FILE\"\n \n if command -v npm &> /dev/null; then\n # Run npm audit with detailed output\n NPM_AUDIT_OUTPUT=$(npm audit --audit-level=moderate 2>&1)\n \n if echo \"$NPM_AUDIT_OUTPUT\" | grep -q \"found 0 vulnerabilities\"; then\n echo \"✅ No vulnerabilities found in NPM dependencies\" >&2\n echo \"✅ No vulnerabilities found\" >> \"$REPORT_FILE\"\n else\n VULN_COUNT=$(echo \"$NPM_AUDIT_OUTPUT\" | grep -o '[0-9]\\+ vulnerabilities' | head -1 || echo \"unknown vulnerabilities\")\n echo \"⚠️ NPM audit found: $VULN_COUNT\" >&2\n echo \"$NPM_AUDIT_OUTPUT\" >> \"$REPORT_FILE\"\n fi\n \n echo \"\" >> \"$REPORT_FILE\"\n echo \"OUTDATED PACKAGES\" >> \"$REPORT_FILE\"\n echo \"-----------------\" >> \"$REPORT_FILE\"\n \n # Check for outdated packages\n OUTDATED_OUTPUT=$(npm outdated 2>/dev/null || echo \"All packages up to date\")\n echo \"$OUTDATED_OUTPUT\" >> \"$REPORT_FILE\"\n \n if [ \"$OUTDATED_OUTPUT\" = \"All packages up to date\" ]; then\n echo \"✅ All NPM packages are up to date\" >&2\n else\n OUTDATED_COUNT=$(echo \"$OUTDATED_OUTPUT\" | wc -l)\n echo \"📊 Found $OUTDATED_COUNT outdated NPM packages\" >&2\n fi\n else\n echo \"⚠️ npm command not available\" >&2\n fi\n \n# Yarn projects\nelif [ -f \"yarn.lock\" ]; then\n echo \"🧶 Yarn Project Detected - Running audit...\" >&2\n echo \"YARN AUDIT RESULTS\" >> \"$REPORT_FILE\"\n echo \"------------------\" >> \"$REPORT_FILE\"\n \n if command -v yarn &> /dev/null; then\n YARN_AUDIT_OUTPUT=$(yarn audit --level moderate 2>&1 || echo \"Yarn audit completed\")\n echo \"$YARN_AUDIT_OUTPUT\" >> \"$REPORT_FILE\"\n \n if echo \"$YARN_AUDIT_OUTPUT\" | grep -q \"0 vulnerabilities\"; then\n echo \"✅ No vulnerabilities found in Yarn dependencies\" >&2\n else\n echo \"⚠️ Yarn audit found potential issues\" >&2\n fi\n else\n echo \"⚠️ yarn command not available\" >&2\n fi\n \n# Python projects\nelif [ -f \"requirements.txt\" ] || [ -f \"Pipfile\" ] || [ -f \"pyproject.toml\" ]; then\n echo \"🐍 Python Project Detected - Running security check...\" >&2\n echo \"PYTHON SECURITY CHECK\" >> \"$REPORT_FILE\"\n echo \"--------------------\" >> \"$REPORT_FILE\"\n \n # Try safety first (recommended for Python security scanning)\n if command -v safety &> /dev/null; then\n echo \"🔍 Running Safety security scanner...\" >&2\n SAFETY_OUTPUT=$(safety check --json 2>/dev/null || safety check 2>/dev/null || echo \"Safety check completed\")\n echo \"$SAFETY_OUTPUT\" >> \"$REPORT_FILE\"\n \n if echo \"$SAFETY_OUTPUT\" | grep -q \"No known security vulnerabilities\"; then\n echo \"✅ No known security vulnerabilities in Python dependencies\" >&2\n else\n echo \"⚠️ Safety scan found potential security issues\" >&2\n fi\n else\n echo \"💡 Install 'safety' for Python security scanning: pip install safety\" >&2\n echo \"safety not installed - using pip list --outdated\" >> \"$REPORT_FILE\"\n fi\n \n echo \"\" >> \"$REPORT_FILE\"\n echo \"OUTDATED PYTHON PACKAGES\" >> \"$REPORT_FILE\"\n echo \"------------------------\" >> \"$REPORT_FILE\"\n \n if command -v pip &> /dev/null; then\n PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo \"Unable to check outdated packages\")\n echo \"$PIP_OUTDATED\" >> \"$REPORT_FILE\"\n \n OUTDATED_COUNT=$(echo \"$PIP_OUTDATED\" | wc -l)\n echo \"📊 Found $OUTDATED_COUNT potentially outdated Python packages\" >&2\n fi\n \n# Ruby projects\nelif [ -f \"Gemfile.lock\" ]; then\n echo \"💎 Ruby Project Detected - Running bundle audit...\" >&2\n echo \"RUBY BUNDLE AUDIT\" >> \"$REPORT_FILE\"\n echo \"-----------------\" >> \"$REPORT_FILE\"\n \n if command -v bundle &> /dev/null; then\n # Check if bundler-audit is available\n if bundle exec bundler-audit --version &> /dev/null; then\n BUNDLE_AUDIT_OUTPUT=$(bundle exec bundler-audit check 2>&1 || echo \"Bundle audit completed\")\n echo \"$BUNDLE_AUDIT_OUTPUT\" >> \"$REPORT_FILE\"\n \n if echo \"$BUNDLE_AUDIT_OUTPUT\" | grep -q \"No vulnerabilities found\"; then\n echo \"✅ No vulnerabilities found in Ruby gems\" >&2\n else\n echo \"⚠️ Bundle audit found potential issues\" >&2\n fi\n else\n echo \"💡 Install bundler-audit: gem install bundler-audit\" >&2\n echo \"bundler-audit not installed\" >> \"$REPORT_FILE\"\n fi\n else\n echo \"⚠️ bundle command not available\" >&2\n fi\n \nelse\n echo \"📁 No recognized dependency files found\" >&2\n echo \"No package manager files detected (package.json, requirements.txt, Gemfile, etc.)\" >> \"$REPORT_FILE\"\nfi\n\necho \"\" >> \"$REPORT_FILE\"\necho \"Report generated at: $(date)\" >> \"$REPORT_FILE\"\necho \"===========================\" >&2\necho \"📄 Full security audit report saved to: $REPORT_FILE\" >&2\necho \"💡 Review the report for detailed vulnerability information\" >&2\n\nexit 0"
}.claude/hooks/~/.claude/hooks/{
"hooks": {
"stop": {
"script": "./.claude/hooks/dependency-security-audit-on-stop.sh"
}
}
}#!/usr/bin/env bash
echo "🔒 DEPENDENCY SECURITY AUDIT" >&2
echo "===========================" >&2
# Generate timestamp for report
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
REPORT_FILE="security-audit-$TIMESTAMP.log"
# Initialize report
echo "Dependency Security Audit Report - $TIMESTAMP" > "$REPORT_FILE"
echo "=============================================" >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
# Node.js projects (NPM)
if [ -f "package-lock.json" ]; then
echo "📦 NPM Project Detected - Running audit..." >&2
echo "NPM AUDIT RESULTS" >> "$REPORT_FILE"
echo "-----------------" >> "$REPORT_FILE"
if command -v npm &> /dev/null; then
# Run npm audit with detailed output
NPM_AUDIT_OUTPUT=$(npm audit --audit-level=moderate 2>&1)
if echo "$NPM_AUDIT_OUTPUT" | grep -q "found 0 vulnerabilities"; then
echo "✅ No vulnerabilities found in NPM dependencies" >&2
echo "✅ No vulnerabilities found" >> "$REPORT_FILE"
else
VULN_COUNT=$(echo "$NPM_AUDIT_OUTPUT" | grep -o '[0-9]\+ vulnerabilities' | head -1 || echo "unknown vulnerabilities")
echo "⚠️ NPM audit found: $VULN_COUNT" >&2
echo "$NPM_AUDIT_OUTPUT" >> "$REPORT_FILE"
fi
echo "" >> "$REPORT_FILE"
echo "OUTDATED PACKAGES" >> "$REPORT_FILE"
echo "-----------------" >> "$REPORT_FILE"
# Check for outdated packages
OUTDATED_OUTPUT=$(npm outdated 2>/dev/null || echo "All packages up to date")
echo "$OUTDATED_OUTPUT" >> "$REPORT_FILE"
if [ "$OUTDATED_OUTPUT" = "All packages up to date" ]; then
echo "✅ All NPM packages are up to date" >&2
else
OUTDATED_COUNT=$(echo "$OUTDATED_OUTPUT" | wc -l)
echo "📊 Found $OUTDATED_COUNT outdated NPM packages" >&2
fi
else
echo "⚠️ npm command not available" >&2
fi
# Yarn projects
elif [ -f "yarn.lock" ]; then
echo "🧶 Yarn Project Detected - Running audit..." >&2
echo "YARN AUDIT RESULTS" >> "$REPORT_FILE"
echo "------------------" >> "$REPORT_FILE"
if command -v yarn &> /dev/null; then
YARN_AUDIT_OUTPUT=$(yarn audit --level moderate 2>&1 || echo "Yarn audit completed")
echo "$YARN_AUDIT_OUTPUT" >> "$REPORT_FILE"
if echo "$YARN_AUDIT_OUTPUT" | grep -q "0 vulnerabilities"; then
echo "✅ No vulnerabilities found in Yarn dependencies" >&2
else
echo "⚠️ Yarn audit found potential issues" >&2
fi
else
echo "⚠️ yarn command not available" >&2
fi
# Python projects
elif [ -f "requirements.txt" ] || [ -f "Pipfile" ] || [ -f "pyproject.toml" ]; then
echo "🐍 Python Project Detected - Running security check..." >&2
echo "PYTHON SECURITY CHECK" >> "$REPORT_FILE"
echo "--------------------" >> "$REPORT_FILE"
# Try safety first (recommended for Python security scanning)
if command -v safety &> /dev/null; then
echo "🔍 Running Safety security scanner..." >&2
SAFETY_OUTPUT=$(safety check --json 2>/dev/null || safety check 2>/dev/null || echo "Safety check completed")
echo "$SAFETY_OUTPUT" >> "$REPORT_FILE"
if echo "$SAFETY_OUTPUT" | grep -q "No known security vulnerabilities"; then
echo "✅ No known security vulnerabilities in Python dependencies" >&2
else
echo "⚠️ Safety scan found potential security issues" >&2
fi
else
echo "💡 Install 'safety' for Python security scanning: pip install safety" >&2
echo "safety not installed - using pip list --outdated" >> "$REPORT_FILE"
fi
echo "" >> "$REPORT_FILE"
echo "OUTDATED PYTHON PACKAGES" >> "$REPORT_FILE"
echo "------------------------" >> "$REPORT_FILE"
if command -v pip &> /dev/null; then
PIP_OUTDATED=$(pip list --outdated 2>/dev/null || echo "Unable to check outdated packages")
echo "$PIP_OUTDATED" >> "$REPORT_FILE"
OUTDATED_COUNT=$(echo "$PIP_OUTDATED" | wc -l)
echo "📊 Found $OUTDATED_COUNT potentially outdated Python packages" >&2
fi
# Ruby projects
elif [ -f "Gemfile.lock" ]; then
echo "💎 Ruby Project Detected - Running bundle audit..." >&2
echo "RUBY BUNDLE AUDIT" >> "$REPORT_FILE"
echo "-----------------" >> "$REPORT_FILE"
if command -v bundle &> /dev/null; then
# Check if bundler-audit is available
if bundle exec bundler-audit --version &> /dev/null; then
BUNDLE_AUDIT_OUTPUT=$(bundle exec bundler-audit check 2>&1 || echo "Bundle audit completed")
echo "$BUNDLE_AUDIT_OUTPUT" >> "$REPORT_FILE"
if echo "$BUNDLE_AUDIT_OUTPUT" | grep -q "No vulnerabilities found"; then
echo "✅ No vulnerabilities found in Ruby gems" >&2
else
echo "⚠️ Bundle audit found potential issues" >&2
fi
else
echo "💡 Install bundler-audit: gem install bundler-audit" >&2
echo "bundler-audit not installed" >> "$REPORT_FILE"
fi
else
echo "⚠️ bundle command not available" >&2
fi
else
echo "📁 No recognized dependency files found" >&2
echo "No package manager files detected (package.json, requirements.txt, Gemfile, etc.)" >> "$REPORT_FILE"
fi
echo "" >> "$REPORT_FILE"
echo "Report generated at: $(date)" >> "$REPORT_FILE"
echo "===========================" >&2
echo "📄 Full security audit report saved to: $REPORT_FILE" >&2
echo "💡 Review the report for detailed vulnerability information" >&2
exit 0Security audit report files accumulate in project root directory
Configure REPORT_FILE path to use dedicated logs directory, or add security-audit-*.log pattern to .gitignore to prevent repository clutter from timestamp-based audit files.
Stop hook executes before dependencies finish installing or updating
Ensure package manager operations complete before session ends. Hook runs after Claude stops, so install commands in active session won't conflict with audit timing.
npm audit hangs indefinitely when network connectivity issues occur
Set npm config registry timeout with 'npm config set timeout 30000' or add timeout wrapper around audit commands to prevent hook from blocking session termination.
Safety scanner for Python fails with 'database not found' error message
Update safety vulnerability database using 'safety check --update-db' command. Install latest version with 'pip install --upgrade safety' to ensure compatibility with current database schema.
Audit severity level flags not recognized by older package manager versions
Update npm to version 6.1.0+ for --audit-level flag support. For older versions, remove --audit-level parameter and parse full audit output using grep for severity filtering.
Loading reviews...
Join our community of Claude power users. No spam, unsubscribe anytime.
Automated accessibility testing and compliance checking for web applications following WCAG guidelines
Automatically generates or updates API documentation when endpoint files are modified
Automatically formats code files after Claude writes or edits them using Prettier, Black, or other formatters