Skip to main content
Securitymarkus41

security-compliance

Claude Code security and compliance — permissions model, settings.json allowlists/denylists, enterprise managed settings, audit logging, secrets handling, SOC2/HIPAA/GDPR patterns. Use this skill whenever configuring permissions, auditing a setup for security, handling secrets, preparing for compliance, or tightening access. Triggers on: "permissions", "allowlist", "security audit", "compliance", "SOC2", "HIPAA", "GDPR", "secrets", "enterprise settings", "managed settings", "deny list".

Stars
12
Source
markus41/claude
Updated
2026-05-11
Slug
markus41--claude--security-compliance
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/markus41/claude/HEAD/plugins/claude-code-expert/skills/security-compliance/SKILL.md -o .claude/skills/security-compliance.md

Drops the SKILL.md into .claude/skills/security-compliance.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Security & Compliance

Baseline security + enterprise compliance patterns for Claude Code.

Permission model

Permissions live in .claude/settings.json:

{
  "permissions": {
    "allow": ["Read", "Write", "Edit", "Glob", "Grep", "Bash(npm *)"],
    "deny":  ["Bash(rm -rf /)", "Bash(sudo *)", "Bash(curl * | sh)"],
    "ask":   ["WebFetch", "Bash(git push *)", "Bash(npm publish *)"]
  }
}
  • allow → tool executes without asking
  • deny → tool never executes
  • ask → user is prompted each time
  • Missing from all lists → falls back to permission mode default

Permission modes

Mode Behavior
ask Prompt for every tool use
acceptEdits Auto-accept Read/Write/Edit; prompt for others
auto Minimal prompting
bypassPermissions Skip prompts (dangerous; CI only)
plan Plan mode — no file writes

Set via claude --permission-mode <mode> or in settings.jsonpermissionMode.

Secrets handling

Never in repo:

  • .env files (except .env.example)
  • API keys, tokens, credentials in settings/MCP config
  • Passwords, private keys

Where secrets go:

  • OS keychain (via secretstorage, keyring, keychain)
  • Cloud secret manager (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault)
  • CI-injected env vars

Install the protect-sensitive-files hook (via cc_kb_hook_recipe("protect-sensitive-files")) to prevent accidental writes to .env / credentials.

Audit logging

Enterprise deployments log all tool calls for compliance:

{
  "hooks": {
    "PostToolUse": [
      { "matcher": "*", "hooks": [{ "type": "command", "command": "bash .claude/hooks/audit-log.sh" }] }
    ]
  }
}

audit-log.sh appends JSON lines to a log shipping to SIEM (Splunk, Elastic, Datadog). Key fields: timestamp, session_id, tool_name, tool_input_hash (not raw input if sensitive), decision, duration_ms.

Enterprise managed settings

For org-wide enforcement, use managed settings at the OS level:

  • macOS: /Library/Application Support/Claude/managed-settings.json
  • Windows: C:\ProgramData\Claude\managed-settings.json
  • Linux: /etc/claude/managed-settings.json

Managed settings override user settings. Use for: denylist of dangerous commands, required hooks (audit), forbidden MCP servers.

Compliance frameworks

SOC2 Type II

  • Audit logging of all file modifications and tool calls.
  • Access control: user-level allow/deny tied to AD/SSO identity.
  • Change management: all .claude/ edits go through PR review.
  • Retention: audit logs kept ≥1 year.

HIPAA (healthcare)

  • PHI never in prompts — scan with detect-secrets + custom PHI regex in hook.
  • BAA required for any cloud-hosted MCP server handling PHI.
  • Encryption at rest for any memory/cache files containing PHI.

GDPR

  • Right-to-erasure: memory stores (engram, Obsidian) must support selective deletion by user identity.
  • Data minimization: don't save user PII to memory without a legitimate purpose.
  • Portability: export format for user's saved memory (mem_timeline, /cc-memory export).

Security audit checklist

Run security-compliance-advisor agent for a full audit. Minimum checks:

  • No secrets in settings.json, .mcp.json, or any committed file
  • deny list includes destructive commands (rm -rf, sudo, curl|sh)
  • protect-sensitive-files hook installed
  • Permission mode not bypassPermissions outside CI
  • MCP servers from trusted sources only
  • Hook scripts pass shellcheck
  • No --dangerously-skip-permissions in any committed script

MCP delegation

Need Tool
Settings schema cc_docs_settings_schema
Audit checklist cc_docs_checklist("security")
Model for review cc_docs_model_recommend("security review") → Opus
Hook recipe for protection cc_kb_hook_recipe("protect-sensitive-files")

Anti-patterns

  • permissions.allow: ["*"] → defeats the point.
  • Secrets in settings.json under env → committed to git.
  • bypassPermissions in developer default → one typo destroys something.
  • Audit log writes to same disk as repo → logs vanish with the incident.
  • Skipping managed settings for enterprise → one dev disables them all.

Reference