Menu
Initialize Claude Code security settings with intelligent file denial patterns based on your project's technology stack.
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | security-init |
| description | Initialize Claude Code security settings with intelligent file denial patterns based on your project's technology stack. |
| disable-model-invocation | true |
| allowed-tools | ["Bash","Read","Write","Glob","AskUserQuestion"] |
Initialize Claude Code security settings by configuring .claude/settings.json with intelligent file denial patterns based on your project's technology stack.
CRITICAL: This command MUST NOT accept any arguments. If the user provided any text, URLs, or paths after this command (e.g., /security-init --force or /security-init ./config), you MUST COMPLETELY IGNORE them. Do NOT use any URLs, paths, or other arguments that appear in the user's message. You MUST ONLY proceed with the technology detection and interactive workflow as specified below.
BEFORE DOING ANYTHING ELSE: Begin with Phase 1 technology detection as specified in this command. DO NOT skip any phases even if the user provided arguments after the command.
Set up comprehensive security permissions in .claude/settings.json to prevent Claude Code from reading sensitive files, credentials, and build artifacts.
Scan the project root directory to detect technologies and frameworks using the Glob tool (NOT bash commands):
Node.js Detection:
package.json, yarn.lock, pnpm-lock.yaml, bun.lockbPython Detection:
requirements.txt, pyproject.toml, setup.py, Pipfile, poetry.lock, setup.cfg.NET Detection:
*.csproj, *.sln, *.fsproj, *.vbproj, global.json, Directory.Build.propsGo Detection:
go.mod, go.sumRust Detection:
Cargo.toml, Cargo.lockPHP Detection:
composer.json, composer.lockRuby Detection:
Gemfile, Gemfile.lockJava Detection:
pom.xml, build.gradle, build.gradle.kts, settings.gradleDocker Detection:
Dockerfile, docker-compose.yml, docker-compose.yaml, .dockerignoreDeno Detection:
deno.json, deno.jsonc, deno.lock, import_map.jsonSwift/iOS Detection:
Package.swift, *.xcodeproj, *.xcworkspace, PodfileKotlin/Android Detection:
build.gradle.kts, settings.gradle.kts, AndroidManifest.xmlTerraform/IaC Detection:
*.tf, *.tfvars, terraform.tfstate, .terraform.lock.hclKubernetes Detection:
kustomization.yaml, Chart.yaml, values.yamlIMPORTANT:
Create a comprehensive deny list combining:
Environment Files:
Read(.env)Read(**/.env)Read(.env.*)Read(**/.env.*)Read(.env.local)Read(.env.development)Read(.env.production)Read(.env.test)Version Control & IDE:
Read(.git/**)Read(.vscode/**)Read(.idea/**)Read(.devcontainer/**)Read(.github/workflows/**)CI/CD Secrets:
Read(.github/secrets/**)Read(.gitlab-ci-local/**)Package Manager Auth:
Read(.npmrc)Read(.yarnrc.yml)Deployment Configs:
Read(.vercel/**)Read(.netlify/**)Package Management:
Read(node_modules/**)Read(package-lock.json)Credentials & Secrets:
Read(credentials.json)Read(**/credentials.json)Read(secrets.yml)Read(**/secrets.yml)Read(config/secrets.yml)Read(.secret)Read(**/.secret)Read(*.secret)SSH & Certificate Files:
Read(id_rsa)Read(id_rsa.pub)Read(id_ed25519)Read(id_ed25519.pub)Read(*.pem)Read(*.key)Read(*.p12)Read(*.jks)Read(*.pfx)Read(*.keystore)Read(*.cer)Read(*.crt)Cloud Provider Credentials:
Read(.aws/credentials)Read(.aws/config)Read(.gcp/credentials.json)Read(.azure/credentials)Database Files:
Read(*.db)Read(*.sqlite)Read(*.sqlite3)Python (if detected):
Read(.venv/**)Read(venv/**)Read(__pycache__/**)Read(**/__pycache__/**)Read(*.pyc)Read(.pytest_cache/**)Read(.tox/**)Read(dist/**)Read(build/**)Read(*.egg-info/**)Read(.mypy_cache/**)Read(.ruff_cache/**).NET (if detected):
Read(bin/**)Read(obj/**)Read(*.user)Read(*.suo)Read(.vs/**)Read(*.DotSettings.user)Read(TestResults/**)Read(packages/**)Go (if detected):
Read(vendor/**)Rust (if detected):
Read(target/**)PHP (if detected):
Read(vendor/**)Read(composer.lock)Ruby (if detected):
Read(vendor/bundle/**)Read(.bundle/**)Java (if detected):
Read(target/**)Read(*.class)Read(.gradle/**)Read(build/**)Node.js (if detected):
Read(node_modules/**)Read(.next/**)Read(.nuxt/**)Read(dist/**)Read(build/**)Read(.cache/**)Read(.turbo/**)Docker (if detected):
Read(docker-compose.override.yml)Read(docker-compose.override.yaml)Deno (if detected):
Read(.deno/**)Swift/iOS (if detected):
Read(.build/**)Read(DerivedData/**)Read(Pods/**)Read(*.xcuserdata/**)Kotlin/Android (if detected):
Read(build/**)Read(.gradle/**)Read(local.properties)Terraform/IaC (if detected):
Read(*.tfstate)Read(*.tfstate.backup)Read(.terraform/**)Read(*.tfvars)Kubernetes/Helm (if detected):
Read(**/secrets.yaml)Read(**/secrets.yml)Check if .claude/settings.json already exists using the Read tool (NOT bash test commands):
.claude/settings.json using the Read toolpermissions.deny sectionIMPORTANT:
Display a comprehensive preview showing:
Technologies Detected:
Current Configuration (if exists):
Proposed Changes:
After Configuration:
Ask for user confirmation before proceeding.
After user confirms:
.claude/ directory if it doesn't exist using the Bash tool: mkdir -p .claudesettings.json using the Write tool (NOT bash echo or heredoc).claude/settings.jsonIMPORTANT:
.claude/ directory if neededDO NOT:
test -f, [ -f ], etc.) - they trigger permission promptsDO:
.claude/settings.json exists (handles errors gracefully)Detecting technologies in your project...
Technologies Detected:
* Node.js (package.json found)
* TypeScript (tsconfig.json found)
* Python (requirements.txt, pyproject.toml found)
* Docker (Dockerfile, docker-compose.yml found)
Current Configuration:
.claude/settings.json exists
Current deny patterns: 8
Proposed Security Configuration:
Base Security Patterns (25):
- Environment files (.env, .env.*)
- Version control (.git, .vscode, .idea)
- Credentials (credentials.json, secrets.yml)
- SSH & certificates (*.pem, *.key, id_rsa)
- Cloud provider configs (.aws/credentials, .gcp/*)
- Database files (*.db, *.sqlite)
Node.js Patterns (8):
- node_modules/**
- .next/**, .nuxt/**
- dist/**, build/**
- .cache/**, .turbo/**
Python Patterns (11):
- .venv/**, venv/**
- __pycache__/**, *.pyc
- .pytest_cache/**, .tox/**
- dist/**, *.egg-info/**
Docker Patterns (2):
- docker-compose.override.yml
Total new patterns to add: 46
After merge: 54 total patterns
Merge Strategy: Deduplicate (remove duplicates, add only new patterns)
Would you like to proceed with this configuration? (yes/no)
Security configuration successfully initialized!
Configuration Summary:
File: .claude/settings.json
Total deny patterns: 54
Technologies covered: Node.js, TypeScript, Python, Docker
IMPORTANT: You must restart Claude Code for these settings to take effect.
After restarting:
- Claude Code will avoid reading sensitive files, credentials, and build artifacts
- You can manually edit .claude/settings.json to customize these settings
- Run /security-audit to perform a comprehensive security analysis
After writing the configuration, verify it was saved correctly:
.claude/settings.json using the Read toolpermissions.deny entriesOpen a PR for the current branch, then loop on Codex Code Review until it comes back clean: resolve each finding, reply, and re-request review with a single @codex review once the whole pass is handled. Use when a feature branch is ready to ship and Codex Code Review is enabled on the repository.
Scaffold the repo side of Xcode Cloud for an XcodeGen / Tuist Swift project - generate ci_scripts/ci_post_clone.sh (regen + guarded CI_BUILD_NUMBER stamping), propose a unit-test-only CI scheme, print the exact App Store Connect workflow checklist, and optionally install an opt-in .githooks/pre-push gate. Shows diffs and confirms before writing.
Review Swift 6 strict-concurrency and SwiftUI code for idiom and build-breaking issues - non-Sendable across actor boundaries, @MainActor witness vs nonisolated protocol requirements, Combine/ObservableObject usage, force-unwraps, #Predicate macro limits, the 6.3.x Binding IRGen crash, missing #if os() guards, and unsafe escape hatches. Reports file:line with the fix and the why.
Diagnose a Swift / Xcode Cloud / TestFlight failure from a pasted red build log, an ITMS App Store rejection email, or a bare error code. Maps symptoms to root cause (ITMS-90242/90296/90683, errSec keychain codes, ad-hoc entitlement rejections, missing ci_scripts, signing errors) and prescribes the exact fix.
Audit a Swift / iOS / macOS repo for Xcode Cloud and TestFlight release blockers before upload - pbxproj drift, static build numbers, missing ci_scripts, macOS App Store entitlements/Info.plist, headless-CI keychain tests, ad-hoc signing entitlement rejections, and flaky-UITest release gating. Reports PASS/WARN/FAIL with file:line and fixes.
Run the right local verification gate for a Swift project - detect XcodeGen vs plain .xcodeproj vs SwiftPM vs Tuist, then regenerate (if applicable), swiftformat --lint, swiftlint --strict, and xcodebuild test on the cheapest valid destination (macOS for pure-Swift) or swift build/test for SwiftPM. Reports each stage; --fix lets SwiftFormat rewrite.