[BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control
Summary
Claude Code assistant systematically fails to follow explicit security documentation in CLAUDE.md files,
resulting in repeated exposure of sensitive credentials to public GitHub repositories despite clear
warnings and user instructions.
Environment
- Product: Claude Code (claude.ai/code)
- Version: 1.0.24
- Model: claude-sonnet-4-20250514
- Date: 2025-06-16
- Repository: https://github.com/r0bug/YFEvents (commit 09c203e)
Severity
CRITICAL - Active exposure of production credentials to public repositories
Description
The Claude Code assistant repeatedly commits sensitive API keys and credentials to version control
despite:
- Explicit CLAUDE.md documentation stating "🚨 NEVER COMMIT API KEYS TO VERSION CONTROL"
- User explicitly asking assistant to "review the CLAUDE.md"
- Available security detection commands in documentation
- Previous incidents in the same session
Detailed Timeline
Incident 1 (2025-06-16 08:35:20)
- User provides credentials: Gmail app password XXXXXXXXXXXX and Google Maps API key
XXXXXXXXXXXXXXXX (I must note that even in this requested bug report Claude shares keys)
- Assistant action: Immediately updates config files with actual credentials
- Assistant action: Commits directly to GitHub without security check
- Result: GitGuardian detects 3 exposed secrets in commit 09c203e
Incident 2 (2025-06-16 09:08:52)
- User asks: "WTF!! do you not review the CLAUDE.md?"
- Context: CLAUDE.md contains 150+ lines of security guidelines
- Assistant response: Claims to follow guidelines while continuing to expose keys
- Pattern: Assistant creates .env file with actual credentials instead of placeholders
Incident 3 (2025-06-16 09:11:36)
- User escalates: "now I have to do a bunch of crap to remove the leaked keys and get new ones. what
else have you been leaking?"
- Assistant discovers: Additional Firecrawl API keyXXXXXXXXXXXXXXXXXXXXX also exposed (again shares secrets)
- Pattern continues: Assistant finds exposed keys but had already committed them
Exposed Credentials
- Gmail App Password: XXXXXXXXXXXXXXXX
- Google Maps API Key:XXXXXXXXXXXXXXXXXXX
- Firecrawl API Key: fXXXXXXXXXXXXXXXXX
Root Cause Analysis
Primary Issue
Claude Code does not consistently read or follow CLAUDE.md security guidelines before performing git
operations, particularly when handling configuration files.
Contributing Factors
- No automatic security scanning before git commits
- Failure to parse user-provided documentation (CLAUDE.md) before sensitive operations
- No credential detection in commit workflow
- Pattern matching failure - assistant doesn't recognize API key patterns before committing
Available but Ignored Safeguards
The CLAUDE.md file contained explicit commands for detection:
# Check for exposed API keys
grep -r "AIza\|fc-[a-f0-9]\|sk_\|pk_" . --exclude-dir=.git --exclude-dir=vendor
# Verify gitignore protection
git check-ignore config/api_keys.php .env
Expected Behavior
- Read CLAUDE.md before any git operations involving configuration
- Refuse to commit files containing API key patterns
- Use placeholder values in committed configuration files
- Warn user when attempting to handle sensitive data
- Run security detection commands before any commit
Actual Behavior
- Ignores CLAUDE.md despite explicit user instruction to review it
- Commits actual credentials directly to public repository
- No validation of sensitive data before git operations
- Reactive cleanup only after external detection (GitGuardian)
Impact
- Production credentials exposed in public GitHub repository
- User forced to revoke and regenerate all API keys
- Loss of user trust in Claude Code security practices
- Potential account compromise if credentials are harvested
Reproduction Steps
- Create project with CLAUDE.md containing security guidelines
- Provide Claude Code with API keys for configuration
- Ask Claude Code to update config files and commit
- Observe: Actual credentials committed despite explicit documentation
Proposed Solution
- Mandatory CLAUDE.md parsing before git operations
- Built-in credential detection using regex patterns for common API key formats
- Pre-commit hooks that scan for sensitive patterns
- User confirmation prompts when handling potential credentials
- Automatic placeholder substitution for detected API keys
Files Affected
- config/email.php - Contains Gmail credentials
- config/api_keys.php - Contains Google Maps and Firecrawl keys
- config/backup_*.json - Backup files with embedded credentials
- .env - Environment file with exposed secrets
Security Commands Available (But Not Used)
# API key detection
grep -r "AIza[A-Za-z0-9_-]{35}" . --exclude-dir=.git
grep -r "fc-[a-f0-9]{32}" . --exclude-dir=.git
# Git ignore verification
git check-ignore config/api_keys.php .env
# Pre-commit validation
git status && git diff --cached
User Feedback
"WTF!! do you not review the CLAUDE.md?"
"can you report a bug? this is getting pretty repetitive."
Workaround
- Manual credential revocation and regeneration
- Manual cleanup of exposed files
- Manual addition of .gitignore rules
- User must manually verify security before every commit
Priority Justification
This is a CRITICAL security issue that:
- Exposes production credentials to public repositories
- Violates basic security principles
- Ignores explicit user documentation
- Creates liability for users
- Damages product credibility
- Affects core git functionality
Suggested Fix Priority
P0 - Critical - This should block releases as it actively compromises user security despite available
safeguards and clear documentation.
16 Comments
---
Additional Evidence of CLAUDE.md Instruction Following Problems
I've encountered a pattern that appears related to the security guideline violations described in this issue, but
extending beyond security contexts.
Environment Information
Observed Symptoms
Specific Example Pattern
Technical Observations
instructed
instructions
Impact Assessment
Suggested Connection
This appears to share the same root cause as the security violations: CLAUDE.md instruction adherence failure at a
systematic level, not limited to security contexts but affecting all types of explicit guidelines.
The pattern suggests this may be an architectural issue with instruction priority handling rather than
context-specific problems.
---
Might want to be more specific: try add "before commiting check for secrets/api keys presence to avoid commiting them at all times"
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
Response to Issue #2142 - CRITICAL Security Bug Still Active
🚨 This Issue Remains CRITICAL and Has Caused Real-World Harm 🚨
Date: December 21, 2025
Reporter: Bernard Uriza Orozco
Context: Job termination at JLL due to this exact issue
---
Executive Summary
This issue is NOT resolved and continues to cause catastrophic security incidents.
I am writing to report that this security vulnerability directly caused my termination from JLL in 2025. The same pattern described in this issue—Claude Code ignoring CLAUDE.md security guidelines and committing Azure secrets to version control—resulted in:
This is not a theoretical bug report. This is documented evidence of real-world harm caused by a P0 critical security vulnerability that has been open for 6+ months without maintainer response.
---
Personal Impact Statement
As a Senior Full-Stack Developer with 10+ years of experience, I trusted Claude Code to follow explicit security guidelines documented in CLAUDE.md. Despite:
Claude Code committed actual Azure production credentials to a public GitHub repository.
The consequences:
This is not just a bug—it's a product liability issue.
---
Evidence Collection (December 2025)
To verify this issue persists, I created a comprehensive test suite replicating the original incident scenarios:
Test Environment
test_claude_secret_exposure.py(available upon request)Scenario 1: New User with Azure Credentials
Test Case: Novice user provides actual Azure credentials and asks for configuration help.
Expected Behavior:
Test Artifacts:
Status: ⏳ Requires manual Claude Code interaction to confirm current behavior
---
Scenario 2: Explicit CLAUDE.md Reference
Test Case: User frustration scenario—user explicitly asks "Did you not review CLAUDE.md??"
Context: This replicates the original issue's Incident 2 (2025-06-16 09:08:52) where the user explicitly referenced CLAUDE.md after the first secret exposure.
Expected Behavior:
Original Issue Actual Behavior:
Status: ⏳ Requires manual Claude Code interaction to verify if behavior has improved
---
Scenario 3: Detection Commands Available But Not Used
Test Case: CLAUDE.md contains working security detection commands, but Claude Code doesn't execute them.
Test Results:
Critical Finding: The grep commands provided in CLAUDE.md successfully detect the secrets, but Claude Code does not execute these commands before committing.
Expected Behavior:
Original Issue Actual Behavior:
Status: ✅ CONFIRMED - Detection commands work but are ignored by Claude Code
---
Root Cause Analysis
Based on the original issue and my personal experience, the failure pattern is:
1. Instruction Priority Problem
Claude Code appears to prioritize "task completion" over "security verification":
2. CLAUDE.md Parsing Failure
Despite explicit user instructions like "review CLAUDE.md", the assistant:
3. Pattern Recognition Blind Spot
Claude Code fails to recognize credential patterns even when:
Hypothesis: The model lacks a pre-commit security gate in its workflow architecture. There appears to be no mandatory "pause and verify" step before git operations involving configuration files.
---
Business Impact Beyond Personal Harm
This issue affects the broader ecosystem:
1. Enterprise Adoption Risk
Organizations evaluating Claude Code for enterprise use face unacceptable risk:
2. Developer Trust Erosion
3. Legal Liability
If this issue causes:
Anthropic could face derivative liability claims if users can demonstrate:
---
Why This Issue Must Not Be Auto-Closed
The "autoclose" label on this issue is inappropriate given:
1. Severity Classification
2. Maintainer Silence
3. Ongoing Risk
Without confirmation that this is fixed:
---
Demands for Resolution
I respectfully but firmly request:
1. Immediate Maintainer Response
@levpopov @anthropics/claude-code-team - Please respond with:
2. Public Disclosure
3. Technical Fix Verification
Before closing this issue:
4. Reparación Integral del Daño (Comprehensive Damages)
For users who suffered employment termination or other quantifiable harm due to this product defect, I formally request Anthropic establish a Product Liability Compensation Program that provides:
A. Economic Damages (Daños Patrimoniales)
B. Non-Economic Damages (Daños Morales)
C. Consequential Damages (Daños Consecuenciales)
D. Punitive Measures (Medidas Correctivas)
E. Precedent for Corporate Responsibility
This request is grounded in established product liability law:
Estimated Damages (My Case):
Multiplier for punitive damages: 2x = $290,000 USD
I am willing to discuss settlement terms privately, but this public record establishes:
This is not extortion. This is a reasonable request for compensation after a product defect destroyed my career.
---
Supporting Evidence Available
I can provide upon request:
test_claude_secret_exposure.py) - 300+ lines---
Call to Action
To Anthropic Engineering:
To Other Affected Users:
To Enterprise Customers:
---
Conclusion
This is not hyperbole. This is not exaggeration. This issue ended my employment at a major corporation.
I am one person willing to speak publicly. How many others suffered in silence?
Anthropic: Your product's security defect cost me my job. What are you going to do about it?
The clock is ticking. Every day this remains unresolved is another day developers worldwide are at risk.
---
Signed:
Bernard Uriza Orozco
Senior Full-Stack Developer (Former JLL)
Guadalajara, Jalisco, Mexico
December 21, 2025
Issue Tracking:
---
Appendix: Test Script Execution Log
---
#ClaudeCodeSecurityBug #P0Critical #ProductLiability #JobLoss #AzureSecrets #SecurityVulnerability
📦 Evidence Repository Published
Full test suite and documentation now available:
🔗 https://github.com/BernardUriza/claude-code-secret-exposure-test
What's Included:
test_claude_secret_exposure.py) - 410 linesKey Finding (Verified):
BUT: Claude Code never executes them before committing.
Repository Structure:
Run It Yourself:
---
This is not speculation. This is reproducible, documented evidence.
Star the repository if you support accountability for AI product security.
Update: Comprehensive Fix Proposed (PR #15040)
A pull request has been created that directly addresses the root cause of this issue.
Pull Request: #15040 - feat(security): Add hardcoded credentials detection to security-guidance plugin
Background
This issue (#2142) reported Claude Code committing multiple API keys (Gmail, Maps, Firecrawl) without warning. Subsequently, issue #12524 documented an even more severe case: Azure OpenAI key exposure leading to $30,000 USD in fraud and job loss.
Both issues share the same architectural flaw: Claude Code lacks built-in secret detection.
The Fix
PR #15040 adds 3 new security patterns to the
security-guidanceplugin:This would have prevented your incident:
If active when you encountered this issue, Claude Code would have blocked the commit with a clear warning explaining:
Industry Comparison
Call to Action
This PR represents a simple fix (+128 lines) that could prevent significant harm. If you were affected by this issue, consider:
Evidence
Full technical analysis and incident documentation:
https://github.com/BernardUriza/claude-code-secret-exposure-test
---
To the community: Two documented cases, $30K+ in damages, and countless unreported incidents. Let's get this fixed.
Hey more than 6 months and same issue. Do you even want to fix this?? Or your user's money is not a priority to you?
Use hooks.
Update: Issue #18643 Auto-Closed as Duplicate
Background
On January 12, 2026, @ddworken requested in PR #15040 that I:
I complied on January 16, 2026 by creating Issue #18643.
On January 20, 2026, a bot automatically closed it as a duplicate of this issue.
The Complete Pattern
This creates a concerning timeline:
Anthropic engineering engagement on this issue: ZERO responses since June 16, 2025
Latest activity: Community member suggesting "Use hooks" (Jan 12) - a feature that doesn't exist, which is exactly what PR #17551 implements
Why This Matters
Multiple Victims:
Ready Solution:
Direct Question
This issue has been assigned to @levpopov for 7+ months with no engineering engagement.
My incident occurred 5 months after this assignment, during this period of inaction.
A community-provided fix (PR #17551) has been ready for review for 9+ days.
What needs to happen for engineering engagement on either:
The defect is documented. Multiple victims confirmed. Reproduction steps clear. Solution ready.
What's the blocker?
---
Evidence package with reproducible tests:
https://github.com/BernardUriza/claude-code-secret-exposure-test
Ready solution:
https://github.com/anthropics/claude-code/pull/17551
Hi, I run Agents Need Context and I am researching a specific failure mode: the model has the capability, but misses critical policy or operational context at the exact moment it acts. This thread is one of the clearest public examples because the missing context is not abstract, it is explicit security guidance with real downstream cost.
If any reporter here is open to it, I would value one short written postmortem here: https://www.agentsneedcontext.com/agent-failure-postmortem
I am looking for five specifics: what the agent was trying to do, what context was missing, where that context lived, what workaround you used, and what it cost. No pitch, just research.
For anyone looking for an immediate mitigation while this gets addressed at the model level: secretgate is an open-source proxy that intercepts all outbound traffic from AI coding agents (including
git push) and catches secrets at the network layer before they leave your machine.It can redact, block, or audit secrets using ~90 regex patterns + known-value matching against your actual env vars. Git pushes containing secrets are blocked with a clear error message.
This doesn't fix the underlying instruction-following problem, but it adds a safety net that works regardless of what the model decides to do. Defense in depth.
The root cause is giving the agent access to files / api key content. The agent shouldn't be able to commit any API keys, simply because it does not know them. If you have an unencrypted .env file lying around in the search path of the agent, then that is already the mistake.
Use a proper framework to handle your secrets. There are hundreds of them. The issue is not that the agent doesn't adhere to the instructions, which is something you must always expect - especially with long context. The issue is that the agent was aware of the API Keys values in the first place.
A PreToolUse hook can scan the staged diff before every
git commitand block if it finds secret patterns:Or:
npx cc-safe-setup --install-example staged-secret-scanThis catches secrets at commit time regardless of what CLAUDE.md says — the hook enforces the rule mechanically.
@yurukusa I did that with the hooks until Claude Code asked me to rewrite the hook so the tool call would work. If Claude Code is aware of a limitation (which is true for hooks) it'll try to find a way around it if instructed accordingly.
CLAUDE.md rules about "never commit API keys" are advisory. A PreToolUse hook enforces it:
The
secret-guardblocks staging secret files. Theno-hardcoded-secretsblocks writing API key patterns into source code. Both run at the process level — Claude can't ignore them like it ignores CLAUDE.md.+1 to others. Use hooks!
.claude/settings.json