Skip to content

Security & secret guard

A built-in guard that stops secrets, keys, env files, and your own private data from ever being committed or published — across all content, every time.

cckit’s guard checks code, docs, the cookbook, examples, and templates. It runs in the local gate and as a pre-commit hook, so a leak is caught before it leaves your machine.

  • Forbidden files.env* (including .env.example), *.pem / *.key / keystores, id_rsa, .netrc, *.tfvars, project id dumps.
  • Secret content — provider key prefixes, private-key blocks, JWTs, and secret-looking assignments. Placeholders like <...>, ${...}, and YOUR_… are allowed.
  • Your private terms — a denylist you control (below).

Nothing project-specific is hardcoded in cckit. You declare what is private to you.

  1. Copy the examplecp privacy-denylist.example .cckit/privacy-denylist (the target is gitignored).

  2. List your terms — org names, hosts, emails, anything private to you, one per line.

  3. Commit something — the guard fails if any term appears in a tracked file.

cckit ships the list empty — it never guesses what is yours.

The guard runs in two places:

WhereWhat it isHow to enable
Local gatescripts/check.shRuns as part of the check suite
Pre-commit hookgithooks/pre-commitgit config core.hooksPath githooks

A finding blocks the commit. The guard is not optional and is not bypassed by the permission consent described in Config & permissions.

Open a private security advisory on the repository (Security → Advisories), or a regular issue if it is low-risk. Do not include secrets or exploit details in a public issue.

Independent, educational project — not affiliated with or endorsed by Anthropic. Claude and Claude Code are trademarks of Anthropic PBC. Disclaimer & trademarks ·

From Mexico with love by josegtz