Configure Safety Guardrails for Claude Code
Build a three-layer security system to protect your code from unsafe AI actions
Difficulty
Intermediate
Time to complete
45 minutes
Availability
Free
BUILD
What you'll build
Configure permission deny rules, deterministic hooks, and a CLAUDE.md policy to create a defense-in-depth security setup that prevents Claude Code from accessing secrets or running dangerous commands.
1. Get Your Tools Ready
Install Claude Code and jq, then create a sample project with sensitive test files.
2. Lock Down Permissions
Create permission deny rules to block Claude from accessing secrets and dangerous commands.
3. Build Your Safety Hooks
Write two PreToolUse hook scripts that validate file edits and Bash commands before execution.
4. Red-Team Your Guardrails
Write a CLAUDE.md security policy and test each defense layer to find gaps.
Your portfolio builds as you work.
Every project documents itself as you go. Finish the work, and your proof is ready to share.
PROJECT
Real world application
Skills you'll learn
-
Permission Configuration
Control AI tool access with glob pattern deny rules
-
Hook Script Development
Write Bash validation scripts that intercept and block dangerous operations
-
Red Team Testing
Systematically attack security layers to discover bypass vulnerabilities
-
Policy Writing
Create advisory CLAUDE.md guidelines that shape AI coding behavior
-
Defense-in-Depth Architecture
Layer multiple security mechanisms to cover complementary attack surfaces
-
Security Gap Analysis
Identify and document vulnerabilities in permission-based security systems
Tech stack
-
Claude Code
Anthropic AI coding agent with built-in permission system and extensible hook architecture
I never realized how easy it was to bypass permission rules until I built these hooks. This project completely changed how I think about AI security.
Marcus Thompson
DevOps Engineer
OUTCOME
Where this leads.
Relevant Jobs
Roles where these skills matter:
- AI Security Engineer
- DevOps Engineer
- Platform Engineer
- Security Architect
Claude Code Roadmap
Master Claude Code with hands-on projects covering AI-assisted development, custom skills, hooks, and automated workflows
Claude Code Roadmap
Continue the JourneyFAQs
Everything you need to know
Yes. This project requires Claude Code access, which is available with Claude Pro ($20/month) or Max ($100/month) subscriptions. All other tools (jq, Bash) are free and open source.
Absolutely. The hooks and settings are portable. Copy the .claude/ directory to any project to apply the same security configuration. Consider customizing the protected file patterns for your specific use case.
Permissions control Claude built-in tools and prompt for approval. Hooks run custom scripts that can deterministically block actions with exit code 2, even Bash commands. Hooks provide stronger enforcement.
CLAUDE.md is advisory context that Claude reads at session start, similar to a system prompt. There is no mechanism to enforce it with exit codes. Claude may override it based on user requests, which is why defense-in-depth matters.
Hooks provide deterministic enforcement for patterns you define, but they cannot catch novel attack vectors you have not anticipated. Combine hooks with OS-level sandboxing for production deployments.
You have three options: remove the deny rule from settings.json, use a more specific glob pattern that excludes certain .env files, or temporarily disable the hook script. Always verify changes in a test environment first.
One Project. Real Skills.
45 minutes from now, you'll have completed Configure Safety Guardrails for Claude Code. No prior experience needed. Just step-by-step guidance and a real project for your portfolio.
Intermediate level