{"slug": "audit-claude-code-permissions-from-vanta", "title": "Audit Claude Code Permissions from Vanta", "summary": "Vanta released GrantGuard, an open-source tool that audits and cleans up permission allowlists built by Claude Code. The tool classifies granted permissions into risk groups and provides a local web UI for one-click removal of unsafe grants, addressing security risks from unchecked permissions in Claude settings files.", "body_md": "Audit, review, and clean up your Claude Code standing permissions.\n\nGrantGuard audits the permission allowlist that Claude Code builds up as you click \"always allow.\"\nHidden away in settings files that are rarely audited, these permissions strings can contain\nsubstantive risks: API keys once pasted into a command, unrestricted `git push`\n\n, commands that read\nyour OS credential store, common destructive commands, and more.\n\nGrantGuard classifies and groups granted permissions into risk groups, with a UI for easy review and one-click removal of unsafe or unwanted permission grants.\n\nGrantGuard runs as a small local Python app using Python's standard library and browser-native HTML/CSS/JS. GrantGuard does not install or load third-party runtime Python packages, npm packages, web UI frameworks, or CDN-hosted scripts.\n\n**Cross-platform.** Works on macOS, Linux, and Windows.**No third-party runtime packages.** Uses Python 3.10+ standard library code and browser-native HTML/CSS/JS. No`pip install`\n\n, no`npm install`\n\n, no build steps, and no CDN-loaded browser libraries.**Runs locally.** The web UI binds to`127.0.0.1`\n\nand makes no network calls. Your settings never leave the machine, and secrets are redacted in outputs.**Safe by default.** Auditing is read-only. Removals happen only when you confirm them, and they're non-destructive — Claude re-asks for anything removed, so you can re-approve it.\n\n- a Python package and project manager, a modern best-in-class standard for python projects. GrantGuard uses`uv`\n\n`uv run`\n\nas its supported launch path, allowing consistent and convenient execution across MacOS, Linux, and Windows.`git`\n\n- for cloning this repo- A supported browser for the Web UI\n\nGrantGuard uses browser-native HTML/CSS/JS and is intended for current stable versions of Chrome, Edge, Firefox, and Safari.\n\n-\nIf you haven't already,\n\n[install](https://github.com/astral-sh/uv#installation).`uv`\n\n-\nClone this repo\n\n```\ngit clone https://github.com/VantaInc/grantguard.git\n```\n\n-\nRun the web UI\n\n```\ncd grantguard\nuv run grantguard.py\n```\n\nBy default, GrantGuard reviews user-level Claude settings sources only. It does not infer a project from the directory where you launch it, and it does not walk project directories unless you ask it to.\n\n```\nuv run grantguard.py ui [TARGET ...] [--targets PATH] [--scan | --deep-scan] [--tolerance default|permissive] [--port PORT] [--no-open]\nuv run grantguard.py audit [TARGET ...] [--targets PATH] [--scan | --deep-scan] [--tolerance default|permissive] [--show-safe] [--fix]\n```\n\nWith no targets and no scan flag, GrantGuard inspects:\n\n`~/.claude/settings.json`\n\n`~/.claude/settings.local.json`\n\n`~/.claude.json`\n\n- the platform managed settings file, if present\n\nAn empty selection is a successful empty audit. GrantGuard prints that no Claude\nsettings sources were found and exits `0`\n\n.\n\n```\nuv run grantguard.py audit\n```\n\nTargets may be passed positionally or with repeatable `--targets PATH`\n\n; both\nforms behave identically.\n\n```\nuv run grantguard.py audit /path/to/repo\nuv run grantguard.py audit --targets /path/to/repo\nuv run grantguard.py audit --targets /repo/a --targets /repo/b\n```\n\nUse `--scan`\n\nto shallowly discover `.claude/settings*.json`\n\nbelow one or more\ntarget roots:\n\n```\nuv run grantguard.py audit --scan --targets /path/to/workspace\n```\n\nUse `--deep-scan`\n\nfor deeper discovery under target roots, or without targets\nfor broad discovery:\n\n```\nuv run grantguard.py audit --deep-scan --targets /path/to/workspace\nuv run grantguard.py audit --deep-scan\nuv run grantguard.py audit --tolerance default\nuv run grantguard.py audit --tolerance permissive\n```\n\n`default`\n\nflags high-risk findings and overbroad wildcard rules. `permissive`\n\nkeeps overbroad wildcard rules and flags only higher-risk findings.\n\n`audit`\n\nis read-only unless `--fix`\n\nis present.\n\n```\nuv run grantguard.py audit --fix\nuv run grantguard.py audit --tolerance permissive --fix\n```\n\n`audit --fix`\n\nwrites to editable Claude settings files in scope and removes all\nflagged rules selected by the active tolerance. Managed settings and\n`~/.claude.json`\n\nare reported as read-only and are not modified.\n\n| Code | Meaning |\n|---|---|\n`0` |\nNo flagged findings, empty audit, or requested fix completed successfully |\n`1` |\nFindings found in read-only audit, editable findings remain, or a write failed |\n`2` |\nInvalid CLI usage, such as `--scan` without targets |\n\n| Category | Verdict | Example |\n|---|---|---|\n| 🔑 Inline credential or API key | remove | `curl -H \"Authorization: Bearer <token>\" …` |\n| 🗝️ Credential-store read | remove | `security find-generic-password *` (macOS), `secret-tool …` (Linux), `cmdkey` (Windows) |\n| 💣 Destructive wildcards | remove | `git reset *` , `rm -rf …` , `pkill` |\n| 🚀 Unprompted remote push | remove | `git push *` |\n| 🌫️ Overly broad wildcards | review | `npm install *` , `gh api *` |\n| ✅ Scoped or read-only | keep | `Bash(npm run build)` , `Read(...)` |\n\nUse `--tolerance permissive`\n\nto treat the \"review\" category as safe and act only\non the \"remove\" categories.\n\nGrantGuard parses each settings file and classifies every `allow`\n\nrule with regular\nexpressions. The first matching pattern wins, and the most severe match decides the\nverdict. When you apply removals, it rebuilds the `allow`\n\narray from the rules you kept\nand re-serializes the JSON, so the output is always well-formed.\n\nThis is pattern matching, so treat the results as guidance. GrantGuard reports risky\npermissions; it cannot block an action while an agent is running. For controls that are\nenforced at runtime, deploy an organization-managed `managed-settings.json`\n\nwith\n`permissions.deny`\n\nrules and `PreToolUse`\n\nhooks, which apply regardless of what the\nagent decides. See [ docs/enforced-controls.md](/OpenVanta/GrantGuard/blob/main/docs/enforced-controls.md).\n\nGrantGuard is scoped to local Claude Code permission allowlists. It reads settings to classify\n`permissions.allow`\n\nrules, plus the `allowedTools`\n\nentries it knows how to surface from\n`~/.claude.json`\n\n.\n\n| Claude Code source | Location or pattern | Read by GrantGuard? | Modified by GrantGuard? |\n|---|---|---|---|\n| User settings | `~/.claude/settings.json` (`%USERPROFILE%\\.claude\\settings.json` on Windows) |\nYes, by default and when passed explicitly | Yes, but only selected `permissions.allow` entries after confirmation or `--fix` |\n| Home-local grants | `~/.claude/settings.local.json` |\nYes, by default and when passed explicitly | Yes, but only selected `permissions.allow` entries after confirmation or `--fix` |\n| Project shared settings | `<repo>/.claude/settings.json` |\nYes, when a target repo is passed explicitly or discovered with `--scan` / `--deep-scan` |\nYes, but only selected `permissions.allow` entries after confirmation or `--fix` |\n| Project local settings | `<repo>/.claude/settings.local.json` |\nYes, when a target repo is passed explicitly or discovered with `--scan` / `--deep-scan` |\nYes, but only selected `permissions.allow` entries after confirmation or `--fix` |\n| Claude state file | `~/.claude.json` |\nYes, by default and during broad `--deep-scan` ; top-level `allowedTools` and `projects[*].allowedTools` are surfaced, and other state is ignored |\nNo; GrantGuard reports this as read-only because the file also contains unrelated Claude Code state |\n| File-based managed settings | macOS `/Library/Application Support/ClaudeCode/managed-settings.json` ; Linux/WSL `/etc/claude-code/managed-settings.json` ; Windows: GrantGuard currently checks `C:\\ProgramData\\ClaudeCode\\managed-settings.json` |\nYes, if the platform-specific file GrantGuard knows about exists | No; GrantGuard reports recognized managed settings as read-only |\n| File-based managed drop-ins | `managed-settings.d/*.json` beside `managed-settings.json` |\nNo | No |\n| Server-managed settings | Delivered by the Claude.ai admin console, with no local JSON file to inspect | No | No |\n| MDM / OS policy settings | macOS `com.anthropic.claudecode` managed preferences; Windows `HKLM` / `HKCU` policy registry |\nNo | No |\n\nGrantGuard runs entirely on your machine. The UI server binds to `127.0.0.1`\n\n, makes no\noutbound network calls, and the only files it opens are Claude Code settings files\n(`.claude/settings*.json`\n\n) plus the read-only Claude state file (`~/.claude.json`\n\n) when\nit is in scope. By default it checks only user-level settings sources. Directory traversal\nhappens only when you pass `--scan`\n\nor `--deep-scan`\n\n; broad scans skip generated,\nvendored, and tool-managed trees such as dependency caches and editor extensions. On\nmacOS, scans also skip privacy-sensitive home and `~/Library`\n\nfolders (Photos, Music,\nDocuments, Desktop, Downloads, Application Support, Containers, …) to avoid reading\nthat data or triggering OS privacy prompts. Secrets are redacted in the UI and the CLI. Files\nare written only when you confirm a removal or run `audit --fix`\n\n. The `/api`\n\nendpoints\nrequire a per-session token carried in the launch URL, and the server accepts requests\nonly from loopback, same-origin callers, which protects the local write endpoint from\nDNS-rebinding and cross-site requests.\n\nContributions are welcome, especially new risk detectors and broader platform coverage.\nGrantGuard is standard-library Python with no dependencies, and we want to keep it that\nway. See [CONTRIBUTING.md](/OpenVanta/GrantGuard/blob/main/CONTRIBUTING.md) and the\n[Code of Conduct](/OpenVanta/GrantGuard/blob/main/CODE_OF_CONDUCT.md).\n\n- Bugs and ideas: open an issue.\n- Security reports: see\n[SECURITY.md](/OpenVanta/GrantGuard/blob/main/SECURITY.md). Please do not file them publicly. - Release history:\n[CHANGELOG.md](/OpenVanta/GrantGuard/blob/main/CHANGELOG.md).\n\nGrantGuard started on the product side of Vanta, not in Engineering. It was built by a PM using agentic tools (Claude Code, and now Codex) to answer a real question: how far can someone who does not ship production code for a living get toward a genuinely useful, trustworthy tool, while holding the bar high enough to put Vanta's name on it.\n\nThis is an early-stage project, and we want to be clear about that. Vanta's open source work spans a range: some of it carries the full rigor of Vanta Engineering from day one, and some, like this, begins as a strong prototype and is engineered up from there. GrantGuard already does something real (it audits your Claude Code permission grants and flags the risky ones), and engineers are now involved to steadily raise its quality toward the standard we hold everything else to. What you are looking at is a project in the process of being leveled up, and you will see it improve over the weeks and months ahead.\n\nWe are open sourcing it at this stage on purpose. Exploring how people outside Engineering can build real, credible things means doing it in the open. Issues and pull requests are welcome, and they feed directly into that work.\n\nCreated by **Herman Errico**.\n\n[MIT](/OpenVanta/GrantGuard/blob/main/LICENSE) © Vanta Inc.", "url": "https://wpnews.pro/news/audit-claude-code-permissions-from-vanta", "canonical_source": "https://github.com/OpenVanta/GrantGuard", "published_at": "2026-07-07 18:49:51+00:00", "updated_at": "2026-07-07 18:59:47.777518+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "developer-tools"], "entities": ["Vanta", "GrantGuard", "Claude Code", "Python", "macOS", "Linux", "Windows"], "alternates": {"html": "https://wpnews.pro/news/audit-claude-code-permissions-from-vanta", "markdown": "https://wpnews.pro/news/audit-claude-code-permissions-from-vanta.md", "text": "https://wpnews.pro/news/audit-claude-code-permissions-from-vanta.txt", "jsonld": "https://wpnews.pro/news/audit-claude-code-permissions-from-vanta.jsonld"}}