Skip to content

aanjaneyasinghdhoni/ClaudeSec

ClaudeSec

CI CodeQL License: AGPL v3 Node.js

A zero-config, fully-local security observatory for AI coding agents.

Claude Code, GitHub Copilot CLI, and Codex all write full session transcripts to disk as they work. ClaudeSec tails those transcripts in real time — across every repo on your machine — and surfaces what your agents are actually doing: every tool call, every command, every file touched, scored live against ~639 built-in threat-detection rules. Nothing ever leaves your computer.


Run it

From a fresh clone, one command does everything — checks Node, enables pnpm, installs deps on first run, builds and serves the production app (zero-config), prints which agents it can see, and opens the dashboard:

git clone https://github.com/aanjaneyasinghdhoni/ClaudeSec.git
cd ClaudeSec
./start.sh

Then open http://localhost:3000. No environment variables, no shell edits, no agent restart — the watcher picks up sessions that were already running. The dashboard starts empty — it only shows your own agent activity as it happens.

Two alternatives, same script:

  • ./start.sh --docker — run headless via docker compose up. Docker ingests via OTLP only; it cannot read your machine's transcripts, so point agents at it over OTLP.
  • ./start.sh --demo — bring up the dashboard plus a separate demo container on :3001, pre-seeded with synthetic data on its own isolated volume — safe to show to others. The default ./start.sh and --docker paths never seed this synthetic data; only --demo does, on its own container. Any synthetic rows can be removed anytime from Settings → Data → Clear demo data.

better-sqlite3 builds a native module on install. On macOS, run xcode-select --install if the build fails; on Linux, install build-essential.

Windows

The one-command ./start.sh is a Bash script and the local path compiles native modules, so the recommended way to run ClaudeSec on Windows is Docker Desktop:

git clone https://github.com/aanjaneyasinghdhoni/ClaudeSec.git
cd ClaudeSec
docker compose up

Then open http://localhost:3000. Docker ingests via OTLP only, so point your agents at it over OTLP — the on-disk transcript watcher and the Processes tab are not available on the Windows native path. To run natively instead (PowerShell, no Docker) you need Git Bash or WSL to invoke start.sh, plus the Visual Studio Build Tools "Desktop development with C++" workload and Python so better-sqlite3 and re2 can compile.


What you get

  • Live timeline & orchestration — tool calls streaming in with nanosecond durations, per-agent tool inventory, a command-audit trail, and a sensitive-file-access panel.
  • ~639 built-in threat rules (~183 core + ~456 extra) — CRITICAL / HIGH / MEDIUM / LOW regex rules for prompt injection, credential theft, reverse shells, supply-chain attacks, exfiltration, SSRF, container escape, and more. The CRITICAL tier is reserved for active secret exfiltration — a credential or .env being transmitted off the machine. RE2-compiled (linear-time), with a ReDoS self-test gate.
  • Enforcement — an opt-in Claude Code PreToolUse hook and a cross-agent MCP proxy can block a tool call before it runs. Register the hook with one command (node cli/init.mjs install-hook); the dashboard then confirms it's wired up. monitor by default (with an always-on catastrophic floor); enforce actively denies. Fail-open by design.
  • MCP / skill scanner — statically scans installed MCP server configs and Claude skills for tool-poisoning, prompt injection, hardcoded secrets, and suspicious launch commands.
  • Honeytokens — plant canary strings; any span containing one fires a HIGH exfiltration alert.
  • Optional LLM-as-judge — off by default, on-demand, local-first semantic classification.
  • Three agent harnesses — Claude Code, GitHub Copilot CLI, and Codex, auto-detected from on-disk transcripts. Remote and CI agents stream in over OTLP into the same pipeline.
  • Cost view — token usage and API-equivalent cost per session and model, with subscription-plan awareness (API / Pro / Max 5× / Max 20×).
  • Integrations — Prometheus metrics (/metrics), webhooks (Slack / Discord / JSON), graph export, and an 11-tool MCP server at POST /mcp.
  • Triage tooling — bookmarks, tags, annotations, session labels, custom rules with a live tester, and a process scanner that can kill / pause / resume agent CLIs.

Privacy & security

ClaudeSec reads sensitive material — your agents' commands, prompts, and file contents — so it is local-first by construction. The server binds 127.0.0.1 only by default. Secret scrubbing redacts known secret shapes, home paths, usernames, and emails before anything is stored, broadcast, or exported. No egress: the only optional outbound paths (OTEL_FORWARD_URL, CLAUDESEC_WEBHOOK_URL, CLAUDESEC_JUDGE_URL) are off unless you set them, and all are SSRF-guarded. The SQLite database is created 0600.

For how these controls map to SOC 2, ISO 27001, GDPR, NIST AI RMF, and others, see COMPLIANCE.md.


Documentation

Full docs build into the dashboard's Docs tab (including the changelog). The MDX source lives under docs/:


Contributing

Contributions are welcome — see .github/CONTRIBUTING.md. Run pnpm lint (TypeScript type-check) and pnpm test (rule self-test gate) before opening a PR.

To report a vulnerability, see .github/SECURITY.md.


License

AGPL-3.0-only — copyright 2026 The ClaudeSec Authors. Commercial and dual-licensing options are documented in .github/LICENSING.md.

Authored by withkarann and aanjaneyasinghdhoni.

About

Real-time AI agent observability dashboard — visualises OpenTelemetry traces as a communication graph with built-in security threat detection

Resources

License

Code of conduct

Contributing

Security policy

Stars

19 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors