> ## Documentation Index
> Fetch the complete documentation index at: https://docs.aitmpl.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Security Components
> Comprehensive security tools including agents, commands, and hooks for auditing, scanning, and hardening
# Security Components
The Security category includes agents, commands, and hooks focused on application security, vulnerability detection, secrets management, and security best practices.
Explore all security components at **aitmpl.com**
## Quick Install
```bash theme={null}
# Install security essentials
npx claude-code-templates@latest \
--command security-audit \
--hook security/secret-scanner \
--hook security/dangerous-command-blocker \
--setting permissions/read-only-mode
# Or install the security template
npx claude-code-templates@latest --template security-hardened
```
## Security Commands
Comprehensive security assessment and vulnerability analysis
**What it checks:**
* Dependency vulnerabilities
* Authentication & authorization
* Input validation & sanitization
* Data protection & encryption
* Secrets management
* Error handling & logging
* Infrastructure security
* Security headers & CORS
```bash theme={null}
npx claude-code-templates@latest --command security-audit
```
**Usage:**
```bash theme={null}
# Full audit
/security-audit --full
# Focus on specific area
/security-audit authentication
/security-audit dependencies
```
**Output includes:**
* Severity levels (Critical, High, Medium, Low)
* Specific file references
* Remediation steps
* Code examples
Scan codebase for hardcoded secrets, API keys, and credentials
**Detects:**
* API keys and tokens
* Database passwords
* Private keys and certificates
* OAuth secrets
* Cloud provider credentials
* Slack/Discord webhooks
```bash theme={null}
npx claude-code-templates@latest --command secrets-scanner
```
**Usage:**
```bash theme={null}
/secrets-scanner
```
Check dependencies for known vulnerabilities using npm audit, pip check, etc.
```bash theme={null}
npx claude-code-templates@latest --command dependency-audit
```
Apply security best practices to your application
**Applies:**
* Security headers
* CORS configuration
* Input validation
* Rate limiting
* CSP policies
* Cookie security
```bash theme={null}
npx claude-code-templates@latest --command security-hardening
```
Automated penetration testing workflows
```bash theme={null}
npx claude-code-templates@latest --command penetration-test
```
Add secure authentication to your application
**Options:**
* JWT authentication
* OAuth2 integration
* Session management
* Password hashing (bcrypt, argon2)
* MFA/2FA support
```bash theme={null}
npx claude-code-templates@latest --command add-authentication-system
```
## Security Hooks
### Prevent Secret Leaks
Automatically scan commits for secrets before they're pushed
**How it works:**
1. Runs before each commit (pre-commit hook)
2. Scans all staged files for secret patterns
3. Blocks commit if secrets are detected
4. Shows which files and lines contain secrets
```bash theme={null}
npx claude-code-templates@latest --hook security/secret-scanner
```
**Detects:**
```regex theme={null}
# API Keys
(api[_-]?key|apikey)\s*=\s*["'][^"']
# AWS Credentials
(aws[_-]?access[_-]?key[_-]?id)
# Database URLs
(postgres|mysql|mongodb)://[^\s]+:[^\s]+@
# Private Keys
-----BEGIN (RSA |EC )?PRIVATE KEY-----
# OAuth Tokens
(client[_-]?secret|oauth[_-]?token)
```
**Example Output:**
```
❌ SECRET DETECTED in config/database.js:12
const password = "my_secret_password"
❌ SECRET DETECTED in .env.production:5
API_KEY=sk_live_abc123xyz
Commit blocked. Remove secrets before committing.
```
### Block Dangerous Operations
Prevent dangerous or destructive commands
**Blocks:**
* Force push to main/master
* Rebase on shared branches
* Hard reset
* Direct push to protected branches
* Destructive rm commands
```bash theme={null}
npx claude-code-templates@latest --hook security/dangerous-command-blocker
```
**Example:**
```bash theme={null}
# Blocked
git push --force origin main
# ✗ Error: Force push to main branch is not allowed
# Allowed
git push origin feature/my-feature
# ✓ Success
```
### Protect Sensitive Files
Prevent committing sensitive files
**Protected files:**
* `.env`, `.env.local`, `.env.production`
* `credentials.json`, `secrets.yaml`
* `id_rsa`, `*.pem`, `*.key`
* `*.p12`, `*.pfx`
```bash theme={null}
npx claude-code-templates@latest --hook security/file-protection
```
### Automated Security Scans
Run security checks before commits
**Runs:**
* Dependency vulnerability scan
* Secret detection
* Code quality checks
* SAST (Static Application Security Testing)
```bash theme={null}
npx claude-code-templates@latest --hook security/security-scanner
```
## Security Settings
Restrict Claude Code to read-only operations
**Blocks:**
* File writes and edits
* Git commits and pushes
* Bash commands that modify files
* Destructive operations
**Use cases:**
* Code review mode
* Production environment analysis
* Learning from existing codebases
* Untrusted environments
```bash theme={null}
npx claude-code-templates@latest --setting permissions/read-only-mode
```
Limit bash command execution to safe operations
```bash theme={null}
npx claude-code-templates@latest --setting permissions/restricted-bash
```
Disable MCP servers with dangerous capabilities
```bash theme={null}
npx claude-code-templates@latest --setting mcp/disable-risky-servers
```
## Security Agents
Security engineering specialist (part of DevOps Infrastructure category)
**Expertise:**
* Security architecture
* Threat modeling
* Secure coding practices
* Security testing
* Incident response
```bash theme={null}
npx claude-code-templates@latest --agent security-engineer
```
## Security Workflows
### Pre-Commit Security
Automatic security checks before every commit:
```bash theme={null}
# Install security hooks
npx claude-code-templates@latest \
--hook security/secret-scanner \
--hook security/dangerous-command-blocker \
--hook security/file-protection
# Now every commit is automatically scanned
git commit -m "Add user service"
# ✓ No secrets detected
# ✓ No dangerous commands
# ✓ No sensitive files
# Commit successful
```
### Regular Security Audits
Schedule comprehensive security audits:
```bash theme={null}
# Install security audit command
npx claude-code-templates@latest --command security-audit
# Run full audit weekly
/security-audit --full
# Or focus on specific areas
/security-audit dependencies # Check dependency vulnerabilities
/security-audit authentication # Review auth implementation
/security-audit data-protection # Check encryption and data handling
```
### Security Hardening
Apply security best practices to new projects:
```bash theme={null}
# Install hardening command
npx claude-code-templates@latest --command security-hardening
# Apply hardening
/security-hardening
# Applies:
# - Security headers (CSP, HSTS, X-Frame-Options)
# - CORS configuration
# - Rate limiting
# - Input validation
# - Cookie security
```
### Secrets Management
Never commit secrets:
```bash theme={null}
# Install secret scanner
npx claude-code-templates@latest --hook security/secret-scanner
# Use environment variables
echo "API_KEY=your_key_here" >> .env
echo ".env" >> .gitignore
# Commits with secrets are blocked
git commit -m "Add config"
# ❌ SECRET DETECTED: Remove secrets before committing
```
## Security Best Practices
### 1. Defense in Depth
Layer multiple security controls:
```bash theme={null}
# Install multiple security components
npx claude-code-templates@latest \
--hook security/secret-scanner \
--hook security/dangerous-command-blocker \
--command security-audit \
--setting permissions/restricted-bash
```
### 2. Automated Security
Automate security checks in CI/CD:
```yaml theme={null}
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: npx claude-code-templates@latest --command security-audit
```
### 3. Regular Audits
Schedule regular security reviews:
```bash theme={null}
# Weekly dependency audit
/dependency-audit
# Monthly full security audit
/security-audit --full
# After each major feature
/security-audit authentication
```
### 4. Least Privilege
Restrict permissions when possible:
```bash theme={null}
# Enable read-only mode for code review
npx claude-code-templates@latest --setting permissions/read-only-mode
# Disable risky MCP servers
npx claude-code-templates@latest --setting mcp/disable-risky-servers
```
## Security Template
Use the pre-configured security template:
```bash theme={null}
npx claude-code-templates@latest --template security-hardened
```
**Includes:**
* Security audit command
* Secret scanner hook
* Dangerous command blocker
* File protection hook
* Read-only mode setting
* Branch protection
* Security engineer agent
## Real-World Examples
### Example 1: Prevent Secret Leak
```bash theme={null}
# Developer accidentally commits secret
echo "API_KEY=sk_live_abc123" >> config.js
git add config.js
git commit -m "Add config"
# ❌ SECRET DETECTED in config.js:1
# API_KEY=sk_live_abc123
#
# Commit blocked. Remove secrets before committing.
# Developer fixes
echo "API_KEY=process.env.API_KEY" > config.js
echo "API_KEY=sk_live_abc123" >> .env
echo ".env" >> .gitignore
git add config.js .gitignore
git commit -m "Add config with env vars"
# ✓ Success
```
### Example 2: Comprehensive Audit
```bash theme={null}
/security-audit --full
# ⚠️ MEDIUM: Dependency vulnerability found
# Package: express@4.17.1
# Vulnerability: CVE-2024-xxxxx
# Fix: npm install express@4.18.2
#
# ❌ CRITICAL: Hardcoded database password
# File: src/db/connection.js:5
# Line: const password = "my_password"
# Fix: Use environment variables
#
# ⚠️ HIGH: Missing security headers
# File: src/server.js
# Issue: No CSP, HSTS, or X-Frame-Options headers
# Fix: Add helmet.js middleware
```
## Next Steps
* [Browse all security components](https://aitmpl.com/?category=security)
* [View development team](/categories/development-team)
* [Explore DevOps components](/categories/devops-infrastructure)
* [Check out testing components](/categories/testing)