name: cc-security-compliance
description: Claude Code security and compliance — permissions model, settings.json allowlists/denylists, enterprise managed settings, audit logging, secrets handling, SOC2/HIPAA/GDPR patterns. Use this skill whenever configuring permissions, auditing a setup for security, handling secrets, preparing for compliance, or tightening access. Triggers on: "permissions", "allowlist", "security audit", "compliance", "SOC2", "HIPAA", "GDPR", "secrets", "enterprise settings", "managed settings", "deny list".
Security & Compliance
Baseline security + enterprise compliance patterns for Claude Code.
Permission model
Permissions live in .claude/settings.json:
{
"permissions": {
"allow": ["Read", "Write", "Edit", "Glob", "Grep", "Bash(npm *)"],
"deny": ["Bash(rm -rf /)", "Bash(sudo *)", "Bash(curl * | sh)"],
"ask": ["WebFetch", "Bash(git push *)", "Bash(npm publish *)"]
}
}
allow → tool executes without asking
deny → tool never executes
ask → user is prompted each time
- Missing from all lists → falls back to permission mode default
Permission modes
| Mode | Behavior |
|---|
ask | Prompt for every tool use |
acceptEdits | Auto-accept Read/Write/Edit; prompt for others |
auto | Minimal prompting |
bypassPermissions | Skip prompts (dangerous; CI only) |
plan | Plan mode — no file writes |
Set via claude --permission-mode <mode> or in settings.json → permissionMode.
Secrets handling
Never in repo:
.env files (except .env.example)
- API keys, tokens, credentials in settings/MCP config
- Passwords, private keys
Where secrets go:
- OS keychain (via
secretstorage, keyring, keychain)
- Cloud secret manager (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault)
- CI-injected env vars
Install the protect-sensitive-files hook (via cc_kb_hook_recipe("protect-sensitive-files")) to prevent accidental writes to .env / credentials.
Audit logging
Enterprise deployments log all tool calls for compliance:
{
"hooks": {
"PostToolUse": [
{ "matcher": "*", "hooks": [{ "type": "command", "command": "bash .claude/hooks/audit-log.sh" }] }
]
}
}
audit-log.sh appends JSON lines to a log shipping to SIEM (Splunk, Elastic, Datadog). Key fields: timestamp, session_id, tool_name, tool_input_hash (not raw input if sensitive), decision, duration_ms.
Enterprise managed settings
For org-wide enforcement, use managed settings at the OS level:
- macOS:
/Library/Application Support/Claude/managed-settings.json
- Windows:
C:\ProgramData\Claude\managed-settings.json
- Linux:
/etc/claude/managed-settings.json
Managed settings override user settings. Use for: denylist of dangerous commands, required hooks (audit), forbidden MCP servers.
Compliance frameworks
SOC2 Type II
- Audit logging of all file modifications and tool calls.
- Access control: user-level
allow/deny tied to AD/SSO identity.
- Change management: all
.claude/ edits go through PR review.
- Retention: audit logs kept ≥1 year.
HIPAA (healthcare)
- PHI never in prompts — scan with
detect-secrets + custom PHI regex in hook.
- BAA required for any cloud-hosted MCP server handling PHI.
- Encryption at rest for any memory/cache files containing PHI.
GDPR
- Right-to-erasure: memory stores (engram, Obsidian) must support selective deletion by user identity.
- Data minimization: don't save user PII to memory without a legitimate purpose.
- Portability: export format for user's saved memory (
mem_timeline, /cc-memory export).
Security audit checklist
Run security-compliance-advisor agent for a full audit. Minimum checks:
MCP delegation
| Need | Tool |
|---|
| Settings schema | cc_docs_settings_schema |
| Audit checklist | cc_docs_checklist("security") |
| Model for review | cc_docs_model_recommend("security review") → Opus |
| Hook recipe for protection | cc_kb_hook_recipe("protect-sensitive-files") |
Anti-patterns
permissions.allow: ["*"] → defeats the point.
- Secrets in settings.json under
env → committed to git.
bypassPermissions in developer default → one typo destroys something.
- Audit log writes to same disk as repo → logs vanish with the incident.
- Skipping managed settings for enterprise → one dev disables them all.
Reference