Audit Claude Code Permissions from Vanta Vanta released GrantGuard, an open-source tool that audits and cleans up permission allowlists built by Claude Code. The tool classifies granted permissions into risk groups and provides a local web UI for one-click removal of unsafe grants, addressing security risks from unchecked permissions in Claude settings files. Audit, review, and clean up your Claude Code standing permissions. GrantGuard audits the permission allowlist that Claude Code builds up as you click "always allow." Hidden away in settings files that are rarely audited, these permissions strings can contain substantive risks: API keys once pasted into a command, unrestricted git push , commands that read your OS credential store, common destructive commands, and more. GrantGuard classifies and groups granted permissions into risk groups, with a UI for easy review and one-click removal of unsafe or unwanted permission grants. GrantGuard runs as a small local Python app using Python's standard library and browser-native HTML/CSS/JS. GrantGuard does not install or load third-party runtime Python packages, npm packages, web UI frameworks, or CDN-hosted scripts. Cross-platform. Works on macOS, Linux, and Windows. No third-party runtime packages. Uses Python 3.10+ standard library code and browser-native HTML/CSS/JS. No pip install , no npm install , no build steps, and no CDN-loaded browser libraries. Runs locally. The web UI binds to 127.0.0.1 and makes no network calls. Your settings never leave the machine, and secrets are redacted in outputs. Safe by default. Auditing is read-only. Removals happen only when you confirm them, and they're non-destructive — Claude re-asks for anything removed, so you can re-approve it. - a Python package and project manager, a modern best-in-class standard for python projects. GrantGuard uses uv uv run as its supported launch path, allowing consistent and convenient execution across MacOS, Linux, and Windows. git - for cloning this repo- A supported browser for the Web UI GrantGuard uses browser-native HTML/CSS/JS and is intended for current stable versions of Chrome, Edge, Firefox, and Safari. - If you haven't already, install https://github.com/astral-sh/uv installation . uv - Clone this repo git clone https://github.com/VantaInc/grantguard.git - Run the web UI cd grantguard uv run grantguard.py By default, GrantGuard reviews user-level Claude settings sources only. It does not infer a project from the directory where you launch it, and it does not walk project directories unless you ask it to. uv run grantguard.py ui TARGET ... --targets PATH --scan | --deep-scan --tolerance default|permissive --port PORT --no-open uv run grantguard.py audit TARGET ... --targets PATH --scan | --deep-scan --tolerance default|permissive --show-safe --fix With no targets and no scan flag, GrantGuard inspects: ~/.claude/settings.json ~/.claude/settings.local.json ~/.claude.json - the platform managed settings file, if present An empty selection is a successful empty audit. GrantGuard prints that no Claude settings sources were found and exits 0 . uv run grantguard.py audit Targets may be passed positionally or with repeatable --targets PATH ; both forms behave identically. uv run grantguard.py audit /path/to/repo uv run grantguard.py audit --targets /path/to/repo uv run grantguard.py audit --targets /repo/a --targets /repo/b Use --scan to shallowly discover .claude/settings .json below one or more target roots: uv run grantguard.py audit --scan --targets /path/to/workspace Use --deep-scan for deeper discovery under target roots, or without targets for broad discovery: uv run grantguard.py audit --deep-scan --targets /path/to/workspace uv run grantguard.py audit --deep-scan uv run grantguard.py audit --tolerance default uv run grantguard.py audit --tolerance permissive default flags high-risk findings and overbroad wildcard rules. permissive keeps overbroad wildcard rules and flags only higher-risk findings. audit is read-only unless --fix is present. uv run grantguard.py audit --fix uv run grantguard.py audit --tolerance permissive --fix audit --fix writes to editable Claude settings files in scope and removes all flagged rules selected by the active tolerance. Managed settings and ~/.claude.json are reported as read-only and are not modified. | Code | Meaning | |---|---| 0 | No flagged findings, empty audit, or requested fix completed successfully | 1 | Findings found in read-only audit, editable findings remain, or a write failed | 2 | Invalid CLI usage, such as --scan without targets | | Category | Verdict | Example | |---|---|---| | 🔑 Inline credential or API key | remove | curl -H "Authorization: Bearer