Security Guidance Plugin Before Merge
Install and use the official Claude Code security-guidance plugin before merge: PreToolUse pattern warnings, git-diff review on stop, and team rollout for command injection, XSS, eval, and dangerous file edits.
Open the source and read safety notes before installing.
Safety notes
- Hook pattern matching can miss novel attack classes; combine with code review and CI scanners.
- Stop-time git-diff LLM review adds latency and may produce false positives on refactors.
- Plugins run with session permissions; compromised plugin sources are a supply-chain risk—pin trusted marketplaces.
- Security guidance warns about risky patterns but does not block merges automatically unless paired with deny hooks.
Privacy notes
- Hook scripts inspect edited file paths, diffs, and prompt text that may contain proprietary code.
- Git-diff review at session stop transmits change summaries to the configured model provider per normal Claude Code data handling.
- Shared plugin settings in git expose which security patterns your team monitors.
Prerequisites
- Claude Code with plugin and hooks support for your account and project.
- A repository using normal git PR review before merging agent-generated changes.
- Python available for plugin hook scripts when using the official security-guidance bundle.
- Team agreement that hook warnings require human acknowledgment before merge.
Schema details
- Install type
- copy
- Reading time
- 8 min
- Difficulty score
- 50
- Troubleshooting
- Yes
- Breaking changes
- No
Full copyable content
Add the security-guidance plugin from the official Claude Code plugins catalog, keep PreToolUse hooks enabled for Edit and Write tools, review warnings during the PR, and treat stop-time git-diff review as a merge gate—not a substitute for human security review.About this resource
TL;DR
The official security-guidance plugin adds PreToolUse and stop-time hooks that warn when Claude edits files matching risky patterns—command injection, XSS, eval, dangerous HTML, pickle usage, and similar signals. Enable it before merge review, treat warnings as blockers until a human resolves them, and pair hooks with normal PR checks—not as the only security control.
Prerequisites & Requirements
- {"task": "Plugin installed", "description": "security-guidance is available in project or user plugin settings"}
- {"task": "Hooks enabled", "description": "PreToolUse matchers cover Edit, Write, MultiEdit, and NotebookEdit tools"}
- {"task": "Review owner", "description": "A maintainer triages hook warnings before merging PRs"}
- {"task": "Python runtime", "description": "Hook scripts can invoke Python via the plugin bootstrap shell helpers"}
- {"task": "CI complement", "description": "SAST, dependency, and secret scanning still run in CI"}
Core Concepts Explained
Pattern warnings on edit tools
The security-guidance plugin ships PreToolUse and PostToolUse hooks tied to file edit tools. When Claude proposes changes, hook scripts scan content for known dangerous patterns and surface reminders before the edit lands in the working tree.
Git-diff review on session stop
Official plugin metadata describes git-diff-based LLM review when a session stops. This gives maintainers a second pass over accumulated agent changes before opening or merging a pull request.
Guidance is not automatic enforcement
Unless your team adds hard-deny hook policies, security-guidance primarily warns. Maintainers should treat unresolved warnings like failing checks during merge review.
Complements other security guides
Pair this plugin with MCP threat modeling and client configuration audits when agents use external tools. Hooks focus on local edit patterns, not remote MCP trust.
Step-by-Step Implementation Guide
Install the plugin. Add security-guidance from the official Claude Code plugins directory or your approved marketplace using the plugin manager.
Verify hook registration. Confirm hooks.json registers SessionStart bootstrap, UserPromptSubmit reminders, PostToolUse scans on edit tools, and stop-time review.
Run a risky edit drill. Intentionally propose a blocked-pattern snippet in a scratch branch and confirm the hook surfaces a warning your team recognizes.
Document merge policy. State in CONTRIBUTING that unresolved security-guidance warnings block merge until a maintainer documents acceptance or fixes the code.
Use during PR prep. Run Claude Code sessions with the plugin enabled while addressing review comments so new edits inherit the same guardrails.
Review stop output. Before git push, read stop-time git-diff review summaries and reconcile them with your diff against main.
Tune with hookify if needed. For repo-specific banned APIs, add complementary hookify rules rather than disabling security-guidance defaults.
Pre-Merge Security Checklist
- {"task": "Warnings cleared", "description": "No open security-guidance alerts on the final diff"}
- {"task": "Secrets absent", "description": "No credentials introduced in edited files"}
- {"task": "Injection paths", "description": "Shell, SQL, and template injection vectors reviewed"}
- {"task": "XSS surfaces", "description": "User-controlled HTML or markdown rendering checked"}
- {"task": "CI green", "description": "Project scanners and tests pass alongside hook review"}
Troubleshooting
Hooks never fire
Confirm the plugin is enabled for the project, Python is on PATH for hook scripts, and edit tools match PostToolUse matchers in hooks.json.
Too many false positives
Document accepted patterns in team rules, narrow custom hookify additions, and keep security-guidance defaults rather than disabling hooks globally.
Stop review missing
Ensure sessions end cleanly so stop hooks run; long-running background tasks may delay diff review until the session actually stops.
Plugin install fails
Update Claude Code to a hooks-capable release and verify marketplace trust settings allow the official security-guidance source.
Source Verification Notes
Verified against official Claude Code security guidance documentation and the public anthropics/claude-code plugins directory on 2026-06-16:
- code.claude.com documents the security-guidance plugin as a PreToolUse-oriented security reminder system for Claude Code projects.
- plugins/README.md lists security-guidance with hooks monitoring command injection, XSS, eval usage, dangerous HTML, pickle deserialization, and os.system calls.
- Plugin hooks.json registers SessionStart bootstrap, UserPromptSubmit scans, PostToolUse matchers on Edit and Write family tools, and stop-time git-diff review.
- Official plugin structure places metadata under .claude-plugin/plugin.json with optional commands, agents, skills, hooks, and MCP configuration.
Duplicate Check
Checked content/guides, generated catalog text, and open pull requests for security-guidance plugin, PreToolUse merge review, and Claude Code security hooks. remote-mcp-server-security-review-checklist.mdx mentions the plugin in passing but does not teach pre-merge rollout. claude-code-security-guidance-remediator-agent covers agent prompts, not plugin installation before merge. No existing guide focuses on enabling security-guidance as a merge gate workflow.
References
- Security guidance docs - https://code.claude.com/docs/en/security-guidance
- Plugins docs - https://code.claude.com/docs/en/plugins
- security-guidance plugin - https://github.com/anthropics/claude-code/tree/main/plugins/security-guidance
Source citations
Add this badge to your README
Show that Security Guidance Plugin Before Merge is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/guides/security-guidance-plugin-before-merge)How it compares
Security Guidance Plugin Before Merge side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Security Guidance Plugin Before Merge Install and use the official Claude Code security-guidance plugin before merge: PreToolUse pattern warnings, git-diff review on stop, and team rollout for command injection, XSS, eval, and dangerous file edits. Open dossier | Auditing MCP Client Configuration Before Team Rollout Source-backed checklist for reviewing Claude Code MCP client configuration before a team rollout, covering scopes, transports, commands, secrets, allowlists, denylists, approvals, and rollback. Open dossier | Review AI-Generated Code Before Merge A source-backed review workflow for pull requests that include AI-generated code. Treat generated diffs as untrusted implementation work, verify behavior in CI, inspect security-sensitive paths first, and merge only after a reviewer-owned checklist passes. Open dossier | Adding Plugin Install Hints to Developer CLIs A practical walkthrough of the claude-code-hint protocol. When CLAUDECODE is set, have your CLI write a self-closing tag to stderr; Claude Code strips the line before it reaches the model and shows a one-time prompt to install your plugin — but only for plugins in the official Anthropic marketplace. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | guides | guides | guides | guides |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | kiannidev | YB0y | MkDev11 | JPette1783 |
| Added | 2026-06-16 | 2026-06-10 | 2026-06-04 | 2026-06-05 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Hook pattern matching can miss novel attack classes; combine with code review and CI scanners. Stop-time git-diff LLM review adds latency and may produce false positives on refactors. Plugins run with session permissions; compromised plugin sources are a supply-chain risk—pin trusted marketplaces. Security guidance warns about risky patterns but does not block merges automatically unless paired with deny hooks. | ✓Local stdio MCP servers execute commands with the user's privileges, so review the exact command, arguments, package runner, file paths, and network behavior before sharing a config. Remote MCP servers can expose model-controlled tools for production systems; require least-privilege scopes, explicit approval for write tools, and a rollback path before team rollout. Do not rely on server names alone for enforcement because names are user-assigned labels; use command or URL allowlist entries when policy must control what actually runs. | ✓Treat AI-generated changes as untrusted code until a human reviewer verifies behavior, security impact, and rollback risk. Block merge when the PR changes authentication, authorization, data deletion, payment, networking, serialization, or release automation without focused tests. Do not accept generated explanations as proof; require CI output, reproducible commands, or links to authoritative project docs. Inspect package manifests, lockfiles, package-manager configuration, and dependency choices before installing from an untrusted branch. Run install, build, and test commands for untrusted PRs in a disposable sandbox or container, with package-manager lifecycle scripts disabled unless the changed scripts and packages have been reviewed and approved. | ✓The hint never auto-installs anything; Claude Code only shows a one-time prompt and the user always confirms. Gate emission on the CLAUDECODE environment variable so the marker never appears in a human user's terminal or in normal pipelines. Hints are only acted on for plugins in an official Anthropic marketplace; pointers to other marketplaces are silently dropped. |
| Privacy notes | ✓Hook scripts inspect edited file paths, diffs, and prompt text that may contain proprietary code. Git-diff review at session stop transmits change summaries to the configured model provider per normal Claude Code data handling. Shared plugin settings in git expose which security patterns your team monitors. | ✓MCP client configuration can reveal server URLs, internal hostnames, command paths, environment-variable names, header names, OAuth client IDs, and tool availability. Do not store API keys, bearer tokens, client secrets, tenant IDs, or personal credentials in shared `.mcp.json`, managed-mcp.json, PR bodies, issue comments, logs, or screenshots. Tool arguments, tool results, resources, prompts, logs, traces, and OAuth metadata can expose private repositories, tickets, databases, user identities, and workspace data. | ✓Do not paste private code, secrets, customer data, logs, or incident details into external AI review tools unless your organization has approved that workflow. Keep review notes in the pull request or internal tracker so security decisions remain auditable. | ✓Claude Code strips the hint line before output reaches the model, so it is not counted toward token usage and does not enter the conversation. Write the tag to stderr to keep it out of shell pipelines like `your-cli deploy | jq`; do not embed it mid-line in logs. The hint carries only your plugin identifier; do not append user data or secrets to the marker line. |
| Prerequisites |
|
|
|
|
| Install | — | — | | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.