Security hooks for the Tatu DevSecOps platform

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for juliocsmelo from gravatar.com juliocsmelo

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Laboratório Hacker, Julio Silveira Melo
  • Tags claude-code , security , devsecops , hooks , secrets-detection , sast , lgpd , gdpr , soc2 , fedramp
  • Requires: Python >=3.10
  • Provides-Extra: yara , dev
Classifiers
Report project as malware

Project description

tatu-hook

A security hook that evaluates security rules locally and reports events to the Tatu DevSecOps dashboard.

What it does

tatu-hook runs as a Claude Code hook on developer machines. It intercepts tool calls (file writes, shell commands, etc.) and evaluates them against security rules — blocking secrets, destructive commands, PII exposure, and code vulnerabilities in real time.

  • Secrets detection — AWS keys, GitHub tokens, Stripe keys, private keys, passwords
  • PII/LGPD compliance — Brazilian CPF/CNPJ, email addresses, credit cards
  • Destructive command blockingrm -rf, DROP TABLE, git push --force
  • SAST scanning — SQL injection, XSS, command injection patterns
  • YARA rules — Advanced multi-condition pattern matching

Install

pip install tatu-hook

# With YARA rule support:
pip install "tatu-hook[yara]"

Quick start

Create an API key in the Tatu dashboard (Settings > API Keys), then:

tatu-hook init --api-url https://tatu.your-domain.com --api-key tatu_xxxxx

This creates ~/.tatu/manifest.json, syncs the latest rules, and registers hooks in ~/.claude/settings.json automatically.

Options:

  • --scope project — register hooks in .claude/settings.json (current directory) instead of globally
  • --no-register — skip hook registration (for users who manage settings externally)

How it works

  1. SessionStart — Syncs rules from the Tatu API (version check, downloads only if outdated)
  2. PreToolUse / PostToolUse — Evaluates content against cached rules (regex + optional YARA)
  3. Policy modes:
    • audit (default) — Logs what would be blocked, never denies. Safe for onboarding.
    • strict — Actively blocks Claude Code operations that match rules.
  4. Events are reported asynchronously to the dashboard (fire-and-forget, non-blocking)

Local cache

Rules are cached at ~/.tatu/ for offline resilience:

~/.tatu/
├── manifest.json    # Version, API URL, API key
├── rules/           # Synced YAML rule templates
└── yara/            # Synced YARA rules

If the API is unreachable, tatu-hook falls back to cached rules silently.

CLI reference

tatu-hook --version                          # Show version
tatu-hook init --api-url URL --api-key KEY   # Initialize configuration
tatu-hook run --event session-start          # Sync rules on session start
tatu-hook run --event pre                    # Evaluate PreToolUse hook
tatu-hook run --event post                   # Evaluate PostToolUse hook

Requirements

  • Python 3.10+
  • PyYAML 6.0+
  • (Optional) yara-python 4.5+ for YARA rule evaluation

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for juliocsmelo from gravatar.com juliocsmelo

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Laboratório Hacker, Julio Silveira Melo
  • Tags claude-code , security , devsecops , hooks , secrets-detection , sast , lgpd , gdpr , soc2 , fedramp
  • Requires: Python >=3.10
  • Provides-Extra: yara , dev
Classifiers

Release history Release notifications | RSS feed

1.0.0

This version

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tatu_hook-0.2.0.tar.gz (20.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tatu_hook-0.2.0-py3-none-any.whl (12.8 kB view details)

Uploaded Python 3

File details

Details for the file tatu_hook-0.2.0.tar.gz.

File metadata

  • Download URL: tatu_hook-0.2.0.tar.gz
  • Upload date:
  • Size: 20.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for tatu_hook-0.2.0.tar.gz
Algorithm Hash digest
SHA256 5bd05b23f1e23542aae6460de83502fa0a5d2a7c5348f16d6f9cd99c945b9a57
MD5 6026357fcc1744c9abeedbedb1da1e68
BLAKE2b-256 49b583c335600c28a23cdf1bdae8f9ccff599d95263e5268d71755c6c928de8c

See more details on using hashes here.

Provenance

The following attestation bundles were made for tatu_hook-0.2.0.tar.gz:

Publisher: publish-tatu-hook.yml on laboratoriohacker-com/tatu

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tatu_hook-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: tatu_hook-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 12.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for tatu_hook-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0b2bb6bdb1a8673502a12b23a3f4ecb2d242ba13b35a8cd08442304d44076982
MD5 3c6177f1db0b5d2588c051ef0b46aca6
BLAKE2b-256 2817c469e2d262a8cc30c6555915daf45577ff62040cbd38630aca7d6ae74b25

See more details on using hashes here.

Provenance

The following attestation bundles were made for tatu_hook-0.2.0-py3-none-any.whl:

Publisher: publish-tatu-hook.yml on laboratoriohacker-com/tatu

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page