I write a ton of Go and Java code using Claude Code and most often it recommends packages etc that are out of date, and vulnerable. One approach I have is to use pre-commit , and then create a .pre-commit-config.yaml in the root of the project looking something like this: — repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v5.0.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-merge-conflict - repo: https://github.com/golangci/golangci-lint rev: v1.64.0 hooks: - id: golangci-lint args: [–timeout=5m] - repo: https://github.com/igorshubovych/markdownlint-cli rev: v0.43.0 hooks: - id: markdownlint - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: - id: yamllint - repo: local hooks: - id: vale-sync name: vale sync (download styles) language: system entry: vale sync pass_filenames: false always_run: true - repo: https://github.com/errata-ai/vale rev: v3.10.0 hooks: - id: vale args: [–config=.vale.ini] - repo: local hooks: - id: govulncheck name: govulncheck language: system entry: govulncheck ./… pass_filenames: false types: [go] - id: go-test name: go test -short language: system entry: go test -short ./… pass_filenames: false types: [go] For Java, Python, .NET etc you’ll need to update it with the respective tools. The short story is to always upgrade your packages (on your default branch; perhaps not on a release branch), perform vulnerability scans, and basic quality checks before commit. Claude Code suggests code from its training which lacks security rigor or has vulnerabilities. The commit fails, which allows Claude Code to detect the issues and fix it. Unlike Claude Hooks, we’re not getting in the way of it editing files etc. and thus saving tokens. I found that skills etc makes no material impact on quality; its it or miss. You can install pre-commit on your machine on macOS brew install pre-commit or via pip (or pip3 depending on your host) pip install pre-commit Then setup a global directory for git-hooks pre-commit init-templatedir ~/.git-template git config --global init.templateDir ~/.git-template So whenever you clone a repository or create a new one, pre-commit will be invoked and if there’s a configuration file, it will run. In the case of Go, I use golangci-lint , which ensures the Go code meets a certain quality, which is almost always better than what Claude Code produces. You can also use act to test GitHub Actions, and actlint to make sure Claude produces reasonable GitHub Actions etc. Vale is used to fix my Suf Efrikan English from time to time, trying to keep it simple, free of jargon etc. It also helps Claude with its writing, especially when the audience speaks different flavors of English, or English is a distant 3rd language. Another tool to incorporate in your pre-commit configuration is checkov , which will not only catch IaC issues, but also catch stuff related to GitHub Actions and whatnot. This helps Claude Code to produce more secure code and configurations, rather than the slop one would find on the internet. For Go, I also use a make file to control what actions Claude can take, and then deny all go commands, redirecting Claude Code to use the makefile. This prevents the case where Claude Code creates binaries all over the place, and whatnot. It also forces Claude when it wants to build the code to go through security scanning and vulnerability management (which also happens during commit) to address any issues. If you use Java with Maven for example, you can integrate these checks into Maven such that mvn clean verify behaves the same way as the Makefile, ensuring we do vulnerability checks, security scans and whatnot. Better yet, ask Claude Code to generate the necessary configurations etc, test it out, and tell it your preferences. I found that this is far more effective that adding Claude hooks to format, scan code and whatnot. My token usage is also much lower it seems. And it also helps when I work on the codebase. This old fart can’t always keep up with all the latest packages and whatnot. And naturally, you’ll do your own review, as well as ask an AI assistant to perform more reviews. This works regardless of the AI assistant you’re using or the model you’re using. Even Opus 4.6 generates insecure and vulnerable code based on its training. Its not a silver bullet (anyone old enough to remember that paper?), but it will nudge Claude Code in the right direction. submitted by /u/bloudraak
Originally posted by u/bloudraak on r/ClaudeCode
You must log in or # to comment.