Safeey.io
Developer Tools

Claude Code + safeey-cli: Catch Vulnerabilities Before You Ship

Claude Code can write, refactor, and ship code astonishingly fast. But speed cuts both ways: the faster code gets generated, the faster insecure code can slip into your project. The fix isn't to slow down — it's to put a security check inside the loop, so every change Claude makes gets scanned, and anything risky gets fixed, automatically.

That's exactly what safeey-cli and Claude Code do well together. safeey-cli reads your source code and flags security issues — SQL injection, hardcoded secrets, dangerous defaults, vulnerable dependencies — with the exact line and the fix. Claude Code is brilliant at applying fixes. Wire them together and you get a self-checking, self-correcting workflow.

Here are three ways to do it, from simplest to fully automatic.

First, install the tool

safeey-cli is a normal global CLI, so Claude Code can run it like any other command:

npm install -g safeey-cli

That's it — safeey scan . now works from any terminal, including the one Claude Code drives.

Approach 1: Tell Claude in CLAUDE.md

The quickest integration is to add an instruction to your project's CLAUDE.md — the file Claude Code reads for project context and conventions. Add a short security section:

## Security
- After implementing or changing a feature, run `safeey scan .`
- Fix every CRITICAL and HIGH finding before considering the task done.
- Re-run the scan to confirm the grade improved.

Now, as Claude works on your project, it will generally run safeey-cli and address what it finds — because you told it to, in the place it looks for guidance.

The honest caveat: CLAUDE.md instructions are usually followed but not guaranteed. They're high-quality suggestions, and a capable model follows them most of the time — but under a long context or an unusual task, the step can get skipped. If "most of the time" is good enough for you, this is the lowest-effort setup. If you want "every time," read on.

Approach 2: A custom slash command

If you'd rather trigger the scan-and-fix on demand, make it a slash command. Create a file at .claude/commands/safeey.md:

Run `safeey scan .` and fix every finding it reports. For each issue,
apply the recommended fix, then re-run the scan and confirm the grade
improved. Report the before-and-after grade.

Now typing /safeey in Claude Code kicks off a complete audit-and-fix pass whenever you want one — a nice checkpoint before committing or opening a pull request.

Approach 3: Hooks — automatic and guaranteed

For a check that runs every time Claude finishes, without you or the model having to remember, Claude Code has hooks: shell commands that execute deterministically at points in its lifecycle. Unlike CLAUDE.md, hooks always run.

The perfect fit here is a Stop hook — it fires when Claude tries to finish responding. We'll have it run safeey-cli, and if the scan finds issues, send them back to Claude and keep it working until they're fixed.

Create a small script at .claude/hooks/safeey-check.sh:

#!/usr/bin/env bash
input=$(cat)

# Prevent infinite loops: if we already blocked once this turn, let it stop.
if [ "$(echo "$input" | jq -r '.stop_hook_active')" = "true" ]; then
  exit 0
fi

output=$(safeey scan . --fail-on high 2>&1)
if [ $? -eq 0 ]; then
  exit 0   # clean scan — allow Claude to finish
fi

# Issues found — hand them back and keep Claude working.
jq -n --arg r "safeey-cli found security issues:

$output

Fix each finding above, then finish." '{decision:"block", reason:$r}'

Make it executable (chmod +x .claude/hooks/safeey-check.sh), then register it in .claude/settings.json:

{
  "hooks": {
    "Stop": [
      {
        "hooks": [
          { "type": "command", "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/safeey-check.sh" }
        ]
      }
    ]
  }
}

Now the loop runs itself: Claude finishes a task → the hook scans the code → if there's a high-severity issue, Claude is handed the findings and told to fix them → it fixes and tries to finish again → the hook re-scans → once it's clean, Claude is allowed to stop. You get AI that verifies and corrects its own security posture before declaring done.

The stop_hook_active check is important — it's the guard that prevents an infinite scan-fix-scan loop. And because safeey-cli only reads your code (it never modifies anything), it's completely safe to run automatically as a hook.

If you'd rather scan after each edit instead of at the end, use a PostToolUse hook matching Write|Edit|MultiEdit — though scanning once at the Stop event is usually cleaner, since it checks the finished state rather than every intermediate keystroke.

Who fixes what

It's worth being precise about the division of labour, because it's what makes this reliable:

  • safeey-cli finds. It's deterministic and rule-based — it points at an exact line, names the issue, and explains the fix. It doesn't guess, and it doesn't change your code.
  • Claude Code fixes. It reads safeey-cli's plain-English findings and applies the corrections — which is exactly the kind of well-scoped task LLMs are excellent at.

That separation is the whole point. You're not asking an AI to judge whether code is secure (where models are unreliable). You're using a precise scanner to find the problems, and the AI to fix them once they're clearly identified. Detection stays deterministic; correction stays fast.

A note on trust

Automating security checks into your AI workflow is one of the highest-leverage things you can do when building with a coding agent. AI generates code quickly, and a meaningful share of it ships with vulnerabilities — so the more you can automate verification of that output, the safer and better it gets. A Stop hook that scans every finished task turns "I hope Claude wrote that securely" into "Claude can't finish until it's secure."

Get started

npm install -g safeey-cli

Then pick your level: a line in CLAUDE.md, a /safeey command, or the Stop hook for hands-off enforcement. For the full list of hook events and options, see Claude Code's hooks documentation. And pair it with a Safeey site scan to check your live deployment from the outside, too — your code and your running app, both covered.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site