Security hooks for the Tatu DevSecOps platform

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for juliocsmelo from gravatar.com juliocsmelo

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Laboratório Hacker, Julio Silveira Melo
  • Tags claude-code , security , devsecops , hooks , secrets-detection , sast , lgpd , gdpr , soc2 , fedramp
  • Requires: Python >=3.10
  • Provides-Extra: yara , dev
Classifiers
Report project as malware

Project description

tatu-hook

A security hook that evaluates security rules locally and reports events to the Tatu DevSecOps dashboard.

What it does

tatu-hook runs as a Claude Code hook on developer machines. It intercepts tool calls (file writes, shell commands, etc.) and evaluates them against security rules — blocking secrets, destructive commands, PII exposure, and code vulnerabilities in real time.

  • Secrets detection — AWS keys, GitHub tokens, Stripe keys, private keys, passwords
  • PII/LGPD compliance — Brazilian CPF/CNPJ, email addresses, credit cards
  • Destructive command blockingrm -rf, DROP TABLE, git push --force
  • SAST scanning — SQL injection, XSS, command injection patterns
  • YARA rules — Advanced multi-condition pattern matching

Install

pip install tatu-hook

# With YARA rule support:
pip install "tatu-hook[yara]"

Quick start

Create an API key in the Tatu dashboard (Settings > API Keys), then:

tatu-hook init --api-url https://tatu.your-domain.com --api-key tatu_xxxxx

This creates ~/.tatu/manifest.json, syncs the latest rules, and registers hooks in ~/.claude/settings.json automatically.

Options:

  • --scope project — register hooks in .claude/settings.json (current directory) instead of globally
  • --no-register — skip hook registration (for users who manage settings externally)

How it works

  1. SessionStart — Syncs rules from the Tatu API (version check, downloads only if outdated)
  2. PreToolUse / PostToolUse — Evaluates content against cached rules (regex + optional YARA)
  3. Policy modes:
    • audit (default) — Logs what would be blocked, never denies. Safe for onboarding.
    • strict — Actively blocks Claude Code operations that match rules.
  4. Events are reported asynchronously to the dashboard (fire-and-forget, non-blocking)

Local cache

Rules are cached at ~/.tatu/ for offline resilience:

~/.tatu/
├── manifest.json    # Version, API URL, API key
├── rules/           # Synced YAML rule templates
└── yara/            # Synced YARA rules

If the API is unreachable, tatu-hook falls back to cached rules silently.

CLI reference

tatu-hook --version                          # Show version
tatu-hook init --api-url URL --api-key KEY   # Initialize configuration
tatu-hook run --event session-start          # Sync rules on session start
tatu-hook run --event pre                    # Evaluate PreToolUse hook
tatu-hook run --event post                   # Evaluate PostToolUse hook

Requirements

  • Python 3.10+
  • PyYAML 6.0+
  • (Optional) yara-python 4.5+ for YARA rule evaluation

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for juliocsmelo from gravatar.com juliocsmelo

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Laboratório Hacker, Julio Silveira Melo
  • Tags claude-code , security , devsecops , hooks , secrets-detection , sast , lgpd , gdpr , soc2 , fedramp
  • Requires: Python >=3.10
  • Provides-Extra: yara , dev
Classifiers

Release history Release notifications | RSS feed

This version

1.0.0

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tatu_hook-1.0.0.tar.gz (20.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tatu_hook-1.0.0-py3-none-any.whl (12.8 kB view details)

Uploaded Python 3

File details

Details for the file tatu_hook-1.0.0.tar.gz.

File metadata

  • Download URL: tatu_hook-1.0.0.tar.gz
  • Upload date:
  • Size: 20.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for tatu_hook-1.0.0.tar.gz
Algorithm Hash digest
SHA256 cae85a050e2e96686724dcafdab979c904dc2ed741c30ab21d32f1c8819308f8
MD5 08e4a27f3de0af7e902db53159560d01
BLAKE2b-256 c1062a4305fafaa3136dfd2013a6bfcc66755a9e4c3dc55b43139978be651ff6

See more details on using hashes here.

Provenance

The following attestation bundles were made for tatu_hook-1.0.0.tar.gz:

Publisher: publish-tatu-hook.yml on laboratoriohacker-com/tatu

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file tatu_hook-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: tatu_hook-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 12.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for tatu_hook-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 361daeea0720a9542f3dd032cb1e82b6dfdacf2cb4c31ab9b28f3dec73cbc9aa
MD5 f19da902edd71964287f405ae5711fae
BLAKE2b-256 2a863a74d9de38c3798ff8d9e92a0156601779c46abc42b3d1cadf1ae09d3d6e

See more details on using hashes here.

Provenance

The following attestation bundles were made for tatu_hook-1.0.0-py3-none-any.whl:

Publisher: publish-tatu-hook.yml on laboratoriohacker-com/tatu

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page