Back to Hooks

Dependency Vulnerability Check

PostToolUse

Runs npm audit / pip-audit / cargo audit when dependency manifests change, blocking edits that introduce known vulnerabilities

securitydependenciesvulnerabilityauditsupply-chain
By Claude Code Community

Hook Script

#!/bin/bash
# Dependency Vulnerability Check
# Runs the relevant audit tool when a dependency manifest is edited
# and blocks the change if high/critical vulnerabilities are introduced.

FILE_PATH="$CLAUDE_FILE_PATH"

case "$(basename "$FILE_PATH")" in
  package.json|package-lock.json|pnpm-lock.yaml|yarn.lock)
    TOOL="npm"
    ;;
  requirements.txt|pyproject.toml|poetry.lock|uv.lock)
    TOOL="pip"
    ;;
  Cargo.toml|Cargo.lock)
    TOOL="cargo"
    ;;
  go.mod|go.sum)
    TOOL="go"
    ;;
  *)
    # Not a dependency manifest — skip silently
    exit 0
    ;;
esac

PROJECT_DIR="$(dirname "$FILE_PATH")"
# Walk up to the nearest directory with a lockfile-ish marker
while [[ "$PROJECT_DIR" != "/" && ! -f "$PROJECT_DIR/package.json" && ! -f "$PROJECT_DIR/Cargo.toml" && ! -f "$PROJECT_DIR/go.mod" && ! -f "$PROJECT_DIR/pyproject.toml" ]]; do
  PROJECT_DIR="$(dirname "$PROJECT_DIR")"
done

cd "$PROJECT_DIR" || exit 0

REPORT=""
EXIT_CODE=0

case "$TOOL" in
  npm)
    if command -v npm >/dev/null 2>&1; then
      REPORT=$(npm audit --audit-level=high --json 2>/dev/null)
      COUNT=$(echo "$REPORT" | grep -oE '"high":[0-9]+|"critical":[0-9]+' | grep -oE '[0-9]+' | awk '{s+=$1} END {print s+0}')
      if [[ "$COUNT" -gt 0 ]]; then
        EXIT_CODE=1
      fi
    fi
    ;;
  pip)
    if command -v pip-audit >/dev/null 2>&1; then
      REPORT=$(pip-audit 2>&1)
      if echo "$REPORT" | grep -qi "vulnerab"; then
        EXIT_CODE=1
      fi
    fi
    ;;
  cargo)
    if command -v cargo-audit >/dev/null 2>&1; then
      REPORT=$(cargo audit 2>&1)
      if echo "$REPORT" | grep -qiE "error:|warning:.*vulnerability"; then
        EXIT_CODE=1
      fi
    fi
    ;;
  go)
    if command -v govulncheck >/dev/null 2>&1; then
      REPORT=$(govulncheck ./... 2>&1)
      if echo "$REPORT" | grep -qi "vulnerability"; then
        EXIT_CODE=1
      fi
    fi
    ;;
esac

if [[ "$EXIT_CODE" -ne 0 ]]; then
  echo "⚠️  Dependency vulnerability detected after editing $FILE_PATH"
  echo ""
  echo "$REPORT" | head -40
  echo ""
  echo "Resolve the issue before committing:"
  echo "  - Upgrade the vulnerable dependency to a patched version"
  echo "  - Or document a justified ignore in your security policy"
  exit 1
fi

exit 0

Settings Configuration

{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Edit|Write",
        "command": "./hooks/dependency-vuln-check.sh"
      }
    ]
  }
}

How to use

  1. Create a hooks directory in your project: mkdir hooks
  2. Save the hook script as hooks/dependency-vuln-check.sh
  3. Make it executable: chmod +x hooks/dependency-vuln-check.sh
  4. Add the configuration to your Claude Code settings
  5. Restart Claude Code to apply changes

Related

Secret Scanner
Hooks
Environment Variable Leak Detector
Hooks
Security Auditor
Agents

You might also like

Secret Scanner
Hooks
Prompt Injection Defense
Hooks
Environment Variable Leak Detector
Hooks