# Security Scan Hook

A PostToolUse hook that fires after every file edit. Deterministic pattern detection — no AI judgment.

## Configuration

Add to your `.claude/settings.json`:

```json
{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Edit|Write",
        "command": "sh .claude/hooks/security-scan.sh $FILE_PATH"
      }
    ]
  }
}
```

## Hook Script (`.claude/hooks/security-scan.sh`)

```bash
#!/bin/bash
# Security scan — runs after every file edit
# Deterministic pattern detection, no AI judgment

FILE="$1"

if [ ! -f "$FILE" ]; then
  exit 0
fi

ISSUES=""

# Hardcoded secrets
if grep -qiE "(api[_-]?key|secret|password|token)\s*[=:]\s*['\"][^'\"]{8,}" "$FILE"; then
  ISSUES="$ISSUES\n[CRITICAL] Possible hardcoded secret detected"
fi

# AWS keys
if grep -qE "AKIA[0-9A-Z]{16}" "$FILE"; then
  ISSUES="$ISSUES\n[CRITICAL] AWS access key detected"
fi

# Private keys
if grep -q "BEGIN.*PRIVATE KEY" "$FILE"; then
  ISSUES="$ISSUES\n[CRITICAL] Private key detected"
fi

# HTTP endpoints (should be HTTPS)
if grep -qE "http://[^l][^o][^c]" "$FILE"; then
  ISSUES="$ISSUES\n[WARNING] Non-HTTPS endpoint detected"
fi

# Connection strings
if grep -qiE "(mongodb|postgres|mysql|redis)://[^$]" "$FILE"; then
  ISSUES="$ISSUES\n[CRITICAL] Hardcoded connection string detected"
fi

if [ -n "$ISSUES" ]; then
  echo "=== SECURITY SCAN FAILED ==="
  echo -e "$ISSUES"
  echo "File: $FILE"
  echo "==========================="
  exit 1
fi

exit 0
```

## Why Deterministic?
- No AI judgment means no hallucinated passes
- Runs 100% of the time — no skipping
- Catches structured patterns (keys, tokens, connection strings)
- Contextual analysis (names in prose, embedded terms) should be handled separately by a human or a dedicated review
