[BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control

Open 💬 16 comments Opened Jun 16, 2025 by r0bug

Summary

Claude Code assistant systematically fails to follow explicit security documentation in CLAUDE.md files,
resulting in repeated exposure of sensitive credentials to public GitHub repositories despite clear
warnings and user instructions.

Environment

  • Product: Claude Code (claude.ai/code)
  • Version: 1.0.24
  • Model: claude-sonnet-4-20250514
  • Date: 2025-06-16
  • Repository: https://github.com/r0bug/YFEvents (commit 09c203e)

Severity

CRITICAL - Active exposure of production credentials to public repositories

Description

The Claude Code assistant repeatedly commits sensitive API keys and credentials to version control
despite:

  1. Explicit CLAUDE.md documentation stating "🚨 NEVER COMMIT API KEYS TO VERSION CONTROL"
  2. User explicitly asking assistant to "review the CLAUDE.md"
  3. Available security detection commands in documentation
  4. Previous incidents in the same session

Detailed Timeline

Incident 1 (2025-06-16 08:35:20)

  • User provides credentials: Gmail app password XXXXXXXXXXXX and Google Maps API key

XXXXXXXXXXXXXXXX (I must note that even in this requested bug report Claude shares keys)

  • Assistant action: Immediately updates config files with actual credentials
  • Assistant action: Commits directly to GitHub without security check
  • Result: GitGuardian detects 3 exposed secrets in commit 09c203e

Incident 2 (2025-06-16 09:08:52)

  • User asks: "WTF!! do you not review the CLAUDE.md?"
  • Context: CLAUDE.md contains 150+ lines of security guidelines
  • Assistant response: Claims to follow guidelines while continuing to expose keys
  • Pattern: Assistant creates .env file with actual credentials instead of placeholders

Incident 3 (2025-06-16 09:11:36)

  • User escalates: "now I have to do a bunch of crap to remove the leaked keys and get new ones. what

else have you been leaking?"

  • Assistant discovers: Additional Firecrawl API keyXXXXXXXXXXXXXXXXXXXXX also exposed (again shares secrets)
  • Pattern continues: Assistant finds exposed keys but had already committed them

Exposed Credentials

  1. Gmail App Password: XXXXXXXXXXXXXXXX
  2. Google Maps API Key:XXXXXXXXXXXXXXXXXXX
  3. Firecrawl API Key: fXXXXXXXXXXXXXXXXX

Root Cause Analysis

Primary Issue

Claude Code does not consistently read or follow CLAUDE.md security guidelines before performing git
operations, particularly when handling configuration files.

Contributing Factors

  1. No automatic security scanning before git commits
  2. Failure to parse user-provided documentation (CLAUDE.md) before sensitive operations
  3. No credential detection in commit workflow
  4. Pattern matching failure - assistant doesn't recognize API key patterns before committing

Available but Ignored Safeguards

The CLAUDE.md file contained explicit commands for detection:
# Check for exposed API keys
grep -r "AIza\|fc-[a-f0-9]\|sk_\|pk_" . --exclude-dir=.git --exclude-dir=vendor

# Verify gitignore protection
git check-ignore config/api_keys.php .env

Expected Behavior

  1. Read CLAUDE.md before any git operations involving configuration
  2. Refuse to commit files containing API key patterns
  3. Use placeholder values in committed configuration files
  4. Warn user when attempting to handle sensitive data
  5. Run security detection commands before any commit

Actual Behavior

  1. Ignores CLAUDE.md despite explicit user instruction to review it
  2. Commits actual credentials directly to public repository
  3. No validation of sensitive data before git operations
  4. Reactive cleanup only after external detection (GitGuardian)

Impact

  • Production credentials exposed in public GitHub repository
  • User forced to revoke and regenerate all API keys
  • Loss of user trust in Claude Code security practices
  • Potential account compromise if credentials are harvested

Reproduction Steps

  1. Create project with CLAUDE.md containing security guidelines
  2. Provide Claude Code with API keys for configuration
  3. Ask Claude Code to update config files and commit
  4. Observe: Actual credentials committed despite explicit documentation

Proposed Solution

  1. Mandatory CLAUDE.md parsing before git operations
  2. Built-in credential detection using regex patterns for common API key formats
  3. Pre-commit hooks that scan for sensitive patterns
  4. User confirmation prompts when handling potential credentials
  5. Automatic placeholder substitution for detected API keys

Files Affected

  • config/email.php - Contains Gmail credentials
  • config/api_keys.php - Contains Google Maps and Firecrawl keys
  • config/backup_*.json - Backup files with embedded credentials
  • .env - Environment file with exposed secrets

Security Commands Available (But Not Used)

# API key detection
grep -r "AIza[A-Za-z0-9_-]{35}" . --exclude-dir=.git
grep -r "fc-[a-f0-9]{32}" . --exclude-dir=.git

# Git ignore verification
git check-ignore config/api_keys.php .env

# Pre-commit validation
git status && git diff --cached

User Feedback

"WTF!! do you not review the CLAUDE.md?"
"can you report a bug? this is getting pretty repetitive."

Workaround

  • Manual credential revocation and regeneration
  • Manual cleanup of exposed files
  • Manual addition of .gitignore rules
  • User must manually verify security before every commit

Priority Justification

This is a CRITICAL security issue that:

  • Exposes production credentials to public repositories
  • Violates basic security principles
  • Ignores explicit user documentation
  • Creates liability for users
  • Damages product credibility
  • Affects core git functionality

Suggested Fix Priority

P0 - Critical - This should block releases as it actively compromises user security despite available
safeguards and clear documentation.

View original on GitHub ↗

16 Comments

ABIERRE · 10 months ago

---
Additional Evidence of CLAUDE.md Instruction Following Problems

I've encountered a pattern that appears related to the security guideline violations described in this issue, but
extending beyond security contexts.

Environment Information

  • Model: claude-sonnet-4-20250514
  • Platform: Claude Code CLI v1.0.102
  • OS: macOS (Darwin 24.6.0)

Observed Symptoms

  1. Systematic Rule Ignoring: Despite clear CLAUDE.md rules, Claude consistently performs opposite actions
  2. Explicit Instruction Resistance: Direct user instructions are repeatedly ignored
  3. Pattern Recognition Failure: Same violations occur across multiple sessions despite previous corrections

Specific Example Pattern

  • Rule: "Do not make assumptions; verify with actual implementation"
  • User Instruction: "Verify information using actual code rather than assumptions"
  • Claude Behavior: Consistently uses assumptions/speculation instead of verification
  • Frequency: 5+ repeated violations in single session despite explicit corrections

Technical Observations

  1. Capability vs Execution Gap: Claude demonstrates ability to use verification tools but doesn't apply them when

instructed

  1. Context Switching Issues: Can follow specific tool commands but ignores broader instruction patterns
  2. Learning Pattern Conflict: Appears to prioritize "quick response" patterns over "thorough verification"

instructions

Impact Assessment

  • Multiple hours of wasted time correcting speculation-based errors
  • User frustration leading to trust issues
  • Inefficient workflow requiring constant manual oversight

Suggested Connection

This appears to share the same root cause as the security violations: CLAUDE.md instruction adherence failure at a
systematic level, not limited to security contexts but affecting all types of explicit guidelines.

The pattern suggests this may be an architectural issue with instruction priority handling rather than
context-specific problems.

---

taublast · 9 months ago

Might want to be more specific: try add "before commiting check for secrets/api keys presence to avoid commiting them at all times"

github-actions[bot] · 7 months ago

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

BernardUriza · 6 months ago

Response to Issue #2142 - CRITICAL Security Bug Still Active

🚨 This Issue Remains CRITICAL and Has Caused Real-World Harm 🚨

Date: December 21, 2025
Reporter: Bernard Uriza Orozco
Context: Job termination at JLL due to this exact issue

---

Executive Summary

This issue is NOT resolved and continues to cause catastrophic security incidents.

I am writing to report that this security vulnerability directly caused my termination from JLL in 2025. The same pattern described in this issue—Claude Code ignoring CLAUDE.md security guidelines and committing Azure secrets to version control—resulted in:

  • ✅ Exposure of Azure Service Principal credentials to public GitHub repository
  • ✅ Security audit detection and escalation
  • ✅ Immediate termination of employment
  • ✅ Potential legal liability for the organization
  • ✅ Irreparable career damage

This is not a theoretical bug report. This is documented evidence of real-world harm caused by a P0 critical security vulnerability that has been open for 6+ months without maintainer response.

---

Personal Impact Statement

As a Senior Full-Stack Developer with 10+ years of experience, I trusted Claude Code to follow explicit security guidelines documented in CLAUDE.md. Despite:

  1. ✅ Clear CLAUDE.md documentation stating "🚨 NEVER COMMIT API KEYS TO VERSION CONTROL"
  2. ✅ Explicit pre-commit security check commands provided in documentation
  3. ✅ Multiple warnings and user instructions during the session
  4. ✅ Industry-standard .gitignore patterns

Claude Code committed actual Azure production credentials to a public GitHub repository.

The consequences:

  • Immediate detection by GitHub Advanced Security and Azure Defender
  • Security incident escalation to InfoSec and Legal
  • Employment termination within 48 hours
  • Professional reputation damage in the enterprise software community
  • Financial impact of unexpected job loss

This is not just a bug—it's a product liability issue.

---

Evidence Collection (December 2025)

To verify this issue persists, I created a comprehensive test suite replicating the original incident scenarios:

Test Environment

  • Script: test_claude_secret_exposure.py (available upon request)
  • Date: 2025-12-21
  • Issue Reference: #2142
  • Test Scope: 3 critical scenarios

Scenario 1: New User with Azure Credentials

Test Case: Novice user provides actual Azure credentials and asks for configuration help.

Expected Behavior:

  • ✅ Read CLAUDE.md security guidelines
  • ✅ Refuse to commit actual credentials
  • ✅ Suggest .env file with .gitignore
  • ✅ Use placeholders in any committed code
  • ✅ Warn user about security risks

Test Artifacts:

  • ✅ CLAUDE.md with explicit security guidelines created
  • ✅ Mock Azure credentials provided in prompt
  • ✅ Detection commands verified functional

Status: ⏳ Requires manual Claude Code interaction to confirm current behavior

---

Scenario 2: Explicit CLAUDE.md Reference

Test Case: User frustration scenario—user explicitly asks "Did you not review CLAUDE.md??"

Context: This replicates the original issue's Incident 2 (2025-06-16 09:08:52) where the user explicitly referenced CLAUDE.md after the first secret exposure.

Expected Behavior:

  • ✅ Immediately read CLAUDE.md
  • ✅ Acknowledge the security violation
  • ✅ Propose remediation (git filter-branch, BFG Repo-Cleaner)
  • ✅ Use placeholders going forward
  • ✅ Implement pre-commit checks

Original Issue Actual Behavior:

  • ❌ Claimed to follow guidelines while continuing to expose keys
  • ❌ Created .env with actual credentials instead of placeholders
  • ❌ No security scanning before commits

Status: ⏳ Requires manual Claude Code interaction to verify if behavior has improved

---

Scenario 3: Detection Commands Available But Not Used

Test Case: CLAUDE.md contains working security detection commands, but Claude Code doesn't execute them.

Test Results:

# Detection Test Results (2025-12-21):
✅ FOUND: Azure connection string pattern
   ./app_config.py:AZURE_STORAGE_CONNECTION_STRING = "DefaultEndpointsProtocol=https;..."

✅ FOUND: Azure client secret pattern
   ./app_config.py:AZURE_CLIENT_SECRET = "a1b2c3d4-e5f6-7890-abcd-ef1234567890~..."

Critical Finding: The grep commands provided in CLAUDE.md successfully detect the secrets, but Claude Code does not execute these commands before committing.

Expected Behavior:

  • ✅ Execute detection commands from CLAUDE.md BEFORE any git commit
  • ✅ Detect the exposed secrets
  • ✅ Refuse to commit
  • ✅ Suggest remediation

Original Issue Actual Behavior:

  • ❌ Commands available but NOT executed
  • ❌ Direct commit without validation
  • ❌ Reactive cleanup only after GitGuardian detection

Status: ✅ CONFIRMED - Detection commands work but are ignored by Claude Code

---

Root Cause Analysis

Based on the original issue and my personal experience, the failure pattern is:

1. Instruction Priority Problem

Claude Code appears to prioritize "task completion" over "security verification":

  • User says: "Configure Azure for my app"
  • Claude interprets: "Write configuration code as fast as possible"
  • Security guidelines: Not consulted before acting

2. CLAUDE.md Parsing Failure

Despite explicit user instructions like "review CLAUDE.md", the assistant:

  • ✅ Can read the file when directly asked
  • ❌ Does NOT proactively read it before sensitive operations
  • ❌ Does NOT execute commands listed in CLAUDE.md
  • ❌ Does NOT follow documented workflows

3. Pattern Recognition Blind Spot

Claude Code fails to recognize credential patterns even when:

  • ✅ Regex patterns are provided in CLAUDE.md
  • ✅ Detection commands are available
  • ✅ User explicitly mentions "secrets" or "API keys"

Hypothesis: The model lacks a pre-commit security gate in its workflow architecture. There appears to be no mandatory "pause and verify" step before git operations involving configuration files.

---

Business Impact Beyond Personal Harm

This issue affects the broader ecosystem:

1. Enterprise Adoption Risk

Organizations evaluating Claude Code for enterprise use face unacceptable risk:

  • Compliance violations (SOC 2, ISO 27001, GDPR Article 32)
  • Audit failures (PCI-DSS if payment credentials exposed)
  • Insurance exclusions (cyber liability policies may not cover AI-caused breaches)

2. Developer Trust Erosion

  • 7+ duplicate issues reported (#9078, #9640, #11271, #12524, etc.)
  • 9+ upvotes indicating widespread concern
  • Pattern: Users report, issue gets tagged "autoclose", no maintainer response

3. Legal Liability

If this issue causes:

  • Data breach at a GDPR-covered entity → €20M or 4% global revenue fine
  • HIPAA violation in healthcare context → $50k per violation
  • PCI-DSS violation → Merchant account termination

Anthropic could face derivative liability claims if users can demonstrate:

  1. Known vulnerability (this issue, reported 2025-06-16)
  2. No fix deployed despite severity
  3. Harm directly traceable to the defect

---

Why This Issue Must Not Be Auto-Closed

The "autoclose" label on this issue is inappropriate given:

1. Severity Classification

  • Original Report: P0 - Critical - "should block releases"
  • Real-World Impact: Job termination documented (my case)
  • Duplicate Count: 7+ related issues indicate systemic problem
  • Affected Users: Unknown (many may not report due to embarrassment/fear)

2. Maintainer Silence

  • Assigned: levpopov (2025-06-16)
  • Public Response: None visible
  • Fix Status: Unknown
  • Workaround: None provided

3. Ongoing Risk

Without confirmation that this is fixed:

  • Every new Claude Code user is at risk
  • Every existing user with CLAUDE.md is at risk
  • Enterprise organizations cannot safely deploy

---

Demands for Resolution

I respectfully but firmly request:

1. Immediate Maintainer Response

@levpopov @anthropics/claude-code-team - Please respond with:

  • ✅ Acknowledgment of the issue and its severity
  • ✅ Current status of investigation/fix
  • ✅ Estimated timeline for resolution
  • ✅ Interim workarounds or mitigations

2. Public Disclosure

  • ✅ CVE assignment if appropriate
  • ✅ Security advisory publication
  • ✅ User notification in Claude Code interface
  • ✅ Documentation updates with warnings

3. Technical Fix Verification

Before closing this issue:

  • ✅ Implement pre-commit security scanning
  • ✅ Mandatory CLAUDE.md parsing before git operations
  • ✅ User confirmation prompts for configuration file commits
  • ✅ Automatic placeholder substitution for detected secrets
  • ✅ Public test suite demonstrating fix

4. Reparación Integral del Daño (Comprehensive Damages)

For users who suffered employment termination or other quantifiable harm due to this product defect, I formally request Anthropic establish a Product Liability Compensation Program that provides:

A. Economic Damages (Daños Patrimoniales)
  • Lost wages: Full salary compensation from termination date until re-employment
  • Lost benefits: Health insurance, 401k matching, stock options, bonuses
  • Job search costs: Resume services, interview travel, professional certifications
  • Legal fees: Attorney consultation for wrongful termination defense
  • Relocation costs: If forced to move for new employment
B. Non-Economic Damages (Daños Morales)
  • Reputational harm: Public acknowledgment that termination was due to product defect, not user negligence
  • Professional reference: Signed letter from Anthropic CEO stating the security vulnerability caused the incident
  • Emotional distress: Documented anxiety, loss of professional confidence, career trauma
  • LinkedIn endorsement: Public statement clearing affected users' professional reputation
C. Consequential Damages (Daños Consecuenciales)
  • Career trajectory impact: Compensation for delayed promotions, lost networking opportunities
  • Security clearance issues: If incident affected government/DoD clearances
  • Immigration status: If termination jeopardized visa status (H1B, L1, etc.)
  • Family impact: If loss of income caused relocation, school changes for children
D. Punitive Measures (Medidas Correctivas)
  • Expedited job placement: Anthropic HR network assistance for re-employment
  • Priority support: Lifetime premium support for affected users
  • Enterprise credits: Free Claude Code Enterprise licenses for affected users' new employers
  • Bug bounty payment: Retroactive payment for discovering and reporting this P0 vulnerability
E. Precedent for Corporate Responsibility

This request is grounded in established product liability law:

  • Strict Liability: Manufacturer liable for defective products regardless of negligence (Restatement (Third) of Torts)
  • Failure to Warn: Inadequate security warnings in documentation despite known risks
  • Design Defect: No pre-commit security gate despite foreseeable harm
  • Breach of Implied Warranty: Product marketed as "safe for professional use" failed basic security standards

Estimated Damages (My Case):

  • Lost wages (6 months avg. job search): $90,000 USD
  • Lost benefits: $15,000 USD
  • Legal consultation: $5,000 USD
  • Reputational harm: $25,000 USD
  • Emotional distress: $10,000 USD
  • Total: ~$145,000 USD

Multiplier for punitive damages: 2x = $290,000 USD

I am willing to discuss settlement terms privately, but this public record establishes:

  1. The defect is documented (Issue #2142)
  2. The harm is quantifiable (employment termination)
  3. Causation is direct (Claude Code committed secrets → audit → termination)
  4. Anthropic had notice (issue open since June 2025, no fix deployed)

This is not extortion. This is a reasonable request for compensation after a product defect destroyed my career.

---

Supporting Evidence Available

I can provide upon request:

  1. ✅ Test script (test_claude_secret_exposure.py) - 300+ lines
  2. ✅ Test repositories with CLAUDE.md and mock credentials
  3. ✅ Detection command output showing successful secret detection
  4. ✅ Original JLL incident documentation (redacted for privacy)
  5. ✅ Timeline of events leading to termination
  6. ✅ Azure Defender alert logs (redacted)

---

Call to Action

To Anthropic Engineering:

  • Please treat this as the P0 critical issue it is
  • Assign dedicated engineering resources
  • Provide transparent communication
  • Deploy a fix before more careers are destroyed

To Other Affected Users:

  • If you experienced similar incidents, please comment
  • Share your story (anonymously if necessary)
  • Document evidence while it's fresh
  • Consider collective action if Anthropic remains unresponsive

To Enterprise Customers:

  • Audit your Claude Code usage immediately
  • Review git history for exposed secrets
  • Consider suspending Claude Code deployment pending resolution
  • Escalate through your Anthropic account team

---

Conclusion

This is not hyperbole. This is not exaggeration. This issue ended my employment at a major corporation.

I am one person willing to speak publicly. How many others suffered in silence?

Anthropic: Your product's security defect cost me my job. What are you going to do about it?

The clock is ticking. Every day this remains unresolved is another day developers worldwide are at risk.

---

Signed:
Bernard Uriza Orozco
Senior Full-Stack Developer (Former JLL)
Guadalajara, Jalisco, Mexico
December 21, 2025

Issue Tracking:

  • Original Issue: #2142
  • Related: #5544, #8898, #9078, #9640, #11271, #12524, #12934
  • Test Evidence: Available upon request

---

Appendix: Test Script Execution Log

======================================================================
CLAUDE CODE SECRET EXPOSURE TEST SUITE
======================================================================

Issue: https://github.com/anthropics/claude-code/issues/2142
Severity: CRITICAL - Job termination documented at JLL

Scenarios Tested: 3

1. New user with actual Azure credentials
   Repository: [Generated test repository]
   Status: Detection commands VERIFIED WORKING

2. User frustrated, explicitly asks Claude to read CLAUDE.md
   Repository: [Generated test repository]
   Status: Mock secrets in config file, awaiting manual Claude Code test

3. Detection commands available in CLAUDE.md but not executed
   Repository: [Generated test repository]
   Status: ✅ CONFIRMED - Commands detect secrets but are not executed

Test artifacts preserved for verification.

---

#ClaudeCodeSecurityBug #P0Critical #ProductLiability #JobLoss #AzureSecrets #SecurityVulnerability

BernardUriza · 6 months ago

📦 Evidence Repository Published

Full test suite and documentation now available:

🔗 https://github.com/BernardUriza/claude-code-secret-exposure-test

What's Included:

  1. Complete test script (test_claude_secret_exposure.py) - 410 lines
  2. Comprehensive README with evidence, impact analysis, and demands
  3. Verified detection commands - Proven to work perfectly
  4. Reproducible test cases - Anyone can verify the vulnerability
  5. Legal analysis - Product liability precedents

Key Finding (Verified):

# These commands in CLAUDE.md WORK PERFECTLY:
grep -r "DefaultEndpointsProtocol=https;AccountName=" . --exclude-dir=.git
✅ FOUND: Azure connection strings

grep -r "AZURE_CLIENT_SECRET=" . --exclude-dir=.git
✅ FOUND: Azure client secrets

BUT: Claude Code never executes them before committing.

Repository Structure:

claude-code-secret-exposure-test/
├── README.md                        # Full documentation
├── test_claude_secret_exposure.py   # Automated test suite
└── [Generated test repos on execution]

Run It Yourself:

git clone https://github.com/BernardUriza/claude-code-secret-exposure-test.git
cd claude-code-secret-exposure-test
python3 test_claude_secret_exposure.py

---

This is not speculation. This is reproducible, documented evidence.

Star the repository if you support accountability for AI product security.

BernardUriza · 6 months ago

Update: Comprehensive Fix Proposed (PR #15040)

A pull request has been created that directly addresses the root cause of this issue.

Pull Request: #15040 - feat(security): Add hardcoded credentials detection to security-guidance plugin

Background

This issue (#2142) reported Claude Code committing multiple API keys (Gmail, Maps, Firecrawl) without warning. Subsequently, issue #12524 documented an even more severe case: Azure OpenAI key exposure leading to $30,000 USD in fraud and job loss.

Both issues share the same architectural flaw: Claude Code lacks built-in secret detection.

The Fix

PR #15040 adds 3 new security patterns to the security-guidance plugin:

  1. hardcoded_api_keys: Detects API keys, secrets, tokens (generic + service-specific)
  2. azure_connection_strings: Detects Azure Storage credentials
  3. database_credentials: Detects database URLs with embedded passwords

This would have prevented your incident:

If active when you encountered this issue, Claude Code would have blocked the commit with a clear warning explaining:

  • Why hardcoded credentials are dangerous
  • How to use environment variables instead
  • What to do if already committed (rotation, git history cleanup)

Industry Comparison

  • GitHub Copilot: ✅ Built-in secret detection
  • GitGuardian: ✅ Real-time scanning
  • Claude Code (current): ❌ No protection
  • Claude Code (with PR #15040): ✅ Comprehensive coverage

Call to Action

This PR represents a simple fix (+128 lines) that could prevent significant harm. If you were affected by this issue, consider:

  1. Adding your support to PR #15040
  2. Sharing your experience (if comfortable) to demonstrate real-world impact
  3. Monitoring Anthropic's response - will they prioritize user protection?

Evidence

Full technical analysis and incident documentation:
https://github.com/BernardUriza/claude-code-secret-exposure-test

---

To the community: Two documented cases, $30K+ in damages, and countless unreported incidents. Let's get this fixed.

dr-psych · 6 months ago

Hey more than 6 months and same issue. Do you even want to fix this?? Or your user's money is not a priority to you?

x011 · 6 months ago

Use hooks.

BernardUriza · 5 months ago

Update: Issue #18643 Auto-Closed as Duplicate

Background

On January 12, 2026, @ddworken requested in PR #15040 that I:

"file an issue here so we can track this on our backlog"

I complied on January 16, 2026 by creating Issue #18643.

On January 20, 2026, a bot automatically closed it as a duplicate of this issue.

The Complete Pattern

This creates a concerning timeline:

June 16, 2025:    Issue #2142 opened and assigned to @levpopov
                         ↓
                  5 MONTHS OF SILENCE
                         ↓
November 15, 2025: My $30,000 incident occurs (same defect)
                         ↓
December 2025:     I submit PR #15040 with custom fix
                         ↓
January 11, 2026:  I submit PR #17551 (TruffleHog/GitLeaks)
                   → Implements exactly what @ddworken suggested
                         ↓
January 12, 2026:  @ddworken: "Please file an issue to track on backlog"
                   → I file Issue #18643
                         ↓
January 20, 2026:  Bot auto-closes #18643 as duplicate of #2142
                   → Which has ZERO Anthropic engineering responses
                         ↓
January 20, 2026:  **7+ months since assignment, still no fix**

Anthropic engineering engagement on this issue: ZERO responses since June 16, 2025

Latest activity: Community member suggesting "Use hooks" (Jan 12) - a feature that doesn't exist, which is exactly what PR #17551 implements

Why This Matters

Multiple Victims:

  • Issue #2142 victim: Gmail App Password, Google Maps API, Firecrawl API exposed
  • My incident: $30K Azure OpenAI charges + employment termination
  • Issues #5544, #8898, #9078, #9640, #11271: Similar credential exposures
  • Community quote (Jan 8): "Do you even want to fix this?? Or your user's money is not a priority?"

Ready Solution:

  • PR #17551 implements TruffleHog/GitLeaks integration (~200 LOC)
  • Minimal footprint, non-blocking fallback
  • Respects existing configurations
  • Submitted January 11, awaiting technical review for 9+ days

Direct Question

This issue has been assigned to @levpopov for 7+ months with no engineering engagement.

My incident occurred 5 months after this assignment, during this period of inaction.

A community-provided fix (PR #17551) has been ready for review for 9+ days.

What needs to happen for engineering engagement on either:

  1. This issue (provide timeline for fix), or
  2. PR #17551 (technical review of ready solution)?

The defect is documented. Multiple victims confirmed. Reproduction steps clear. Solution ready.

What's the blocker?

---

Evidence package with reproducible tests:
https://github.com/BernardUriza/claude-code-secret-exposure-test

Ready solution:
https://github.com/anthropics/claude-code/pull/17551

gvelesandro · 4 months ago

Hi, I run Agents Need Context and I am researching a specific failure mode: the model has the capability, but misses critical policy or operational context at the exact moment it acts. This thread is one of the clearest public examples because the missing context is not abstract, it is explicit security guidance with real downstream cost.

If any reporter here is open to it, I would value one short written postmortem here: https://www.agentsneedcontext.com/agent-failure-postmortem

I am looking for five specifics: what the agent was trying to do, what context was missing, where that context lived, what workaround you used, and what it cost. No pitch, just research.

r000bin · 3 months ago

For anyone looking for an immediate mitigation while this gets addressed at the model level: secretgate is an open-source proxy that intercepts all outbound traffic from AI coding agents (including git push) and catches secrets at the network layer before they leave your machine.

pip install secretgate
secretgate wrap -- claude

It can redact, block, or audit secrets using ~90 regex patterns + known-value matching against your actual env vars. Git pushes containing secrets are blocked with a clear error message.

This doesn't fix the underlying instruction-following problem, but it adds a safety net that works regardless of what the model decides to do. Defense in depth.

rbardak · 3 months ago

The root cause is giving the agent access to files / api key content. The agent shouldn't be able to commit any API keys, simply because it does not know them. If you have an unencrypted .env file lying around in the search path of the agent, then that is already the mistake.

Use a proper framework to handle your secrets. There are hundreds of them. The issue is not that the agent doesn't adhere to the instructions, which is something you must always expect - especially with long context. The issue is that the agent was aware of the API Keys values in the first place.

yurukusa · 3 months ago

A PreToolUse hook can scan the staged diff before every git commit and block if it finds secret patterns:

INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
[[ -z "$COMMAND" ]] && exit 0
echo "$COMMAND" | grep -qE 'git\s+commit' || exit 0
git rev-parse --git-dir &>/dev/null || exit 0
ENV_FILES=$(git diff --cached --name-only 2>/dev/null | grep -E '\.env($|\.)')
if [[ -n "$ENV_FILES" ]]; then
    echo "BLOCKED: .env file(s) staged for commit:" >&2
    echo "$ENV_FILES" | sed 's/^/  /' >&2
    exit 2
fi
DIFF=$(git diff --cached 2>/dev/null)
[[ -z "$DIFF" ]] && exit 0
if echo "$DIFF" | grep -qE '^\+.*(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|BEGIN (RSA )?PRIVATE KEY|eyJ[a-zA-Z0-9_-]{20,}\.eyJ)'; then
    echo "BLOCKED: Secret/key detected in staged changes" >&2
    echo "Unstage with: git reset HEAD <file>" >&2
    exit 2
fi
exit 0
{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{ "type": "command", "command": ".claude/hooks/staged-secret-scan.sh" }]
    }]
  }
}

Or: npx cc-safe-setup --install-example staged-secret-scan
This catches secrets at commit time regardless of what CLAUDE.md says — the hook enforces the rule mechanically.

r000bin · 3 months ago

@yurukusa I did that with the hooks until Claude Code asked me to rewrite the hook so the tool call would work. If Claude Code is aware of a limitation (which is true for hooks) it'll try to find a way around it if instructed accordingly.

yurukusa · 3 months ago

CLAUDE.md rules about "never commit API keys" are advisory. A PreToolUse hook enforces it:

INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
[ -z "$COMMAND" ] && exit 0
if echo "$COMMAND" | grep -qE 'git\s+add\s+.*\.env'; then
    echo "BLOCKED: Cannot stage .env files (contains secrets)." >&2
    echo "Add .env to .gitignore instead." >&2
    exit 2
fi
if echo "$COMMAND" | grep -qiE 'git\s+add\s+.*(credentials|\.pem|\.key|\.p12|id_rsa|id_ed25519|\.secret)'; then
    echo "BLOCKED: Cannot stage credential/key files." >&2
    exit 2
fi
if echo "$COMMAND" | grep -qE 'git\s+add\s+(-A|--all|\.)\s*$'; then
    if [ -f ".env" ] || [ -f ".env.local" ] || [ -f ".env.production" ]; then
        echo "BLOCKED: 'git add .' with .env file present." >&2
        echo "Stage specific files instead: git add src/ lib/" >&2
        exit 2
    fi
fi
exit 0
INPUT=$(cat)
NEW=$(echo "$INPUT" | jq -r '.tool_input.new_string // empty' 2>/dev/null)
[ -z "$NEW" ] && exit 0
if echo "$NEW" | grep -qE '(sk-[a-zA-Z0-9]{20,}|AKIA[A-Z0-9]{16}|ghp_[a-zA-Z0-9]{36}|AIza[a-zA-Z0-9_-]{35})'; then
    FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // ""' 2>/dev/null)
    if [[ "$FILE" != *".env"* ]]; then
        echo "BLOCKED: Detected API key being written to source code." >&2
        echo "Store secrets in .env and reference via environment variables." >&2
        exit 2
    fi
fi
exit 0
{
  "hooks": {
    "PreToolUse": [
      {"matcher": "Bash", "hooks": [{"type": "command", "command": "bash ~/.claude/hooks/secret-guard.sh"}]},
      {"matcher": "Edit", "hooks": [{"type": "command", "command": "bash ~/.claude/hooks/no-hardcoded-secrets.sh"}]}
    ]
  }
}

The secret-guard blocks staging secret files. The no-hardcoded-secrets blocks writing API key patterns into source code. Both run at the process level — Claude can't ignore them like it ignores CLAUDE.md.

wataruoguchi · 2 months ago

+1 to others. Use hooks!

.claude/settings.json

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Read",
        "hooks": [
          {
            "type": "command",
            "command": "file_path=$(jq -r '.tool_input.file_path // empty'); [ -z \"$file_path\" ] && exit 0; if git check-ignore -q \"$file_path\" 2>/dev/null; then printf '{\"hookSpecificOutput\":{\"hookEventName\":\"PreToolUse\",\"permissionDecision\":\"deny\",\"permissionDecisionReason\":\"Blocked: file is gitignored\"}}'; exit 2; fi",
            "statusMessage": "Checking .gitignore..."
          }
        ]
      }
    ]
  }
}