Skip to main content
Claude Code’s .claude/settings.json supports permission deny rules with wildcard matching — for example, Bash(git reset --hard:*). CC Safety Net is different: it uses semantic command analysis and runs before the permission system. This page explains how they compare and why you should use both.

At a Glance

Permission Deny RulesCC Safety Net
SetupManual configuration requiredWorks out of the box
ParsingWildcard pattern matchingSemantic command analysis
Execution orderRuns secondRuns first (PreToolUse hook)
Shell wrappersNot handled automatically (must match wrapper forms)Recursively analyzed (10 levels)
Interpreter one-linersNot handled automatically (must match interpreter forms)Detected and blocked

Bypass Vectors in Permission Rules

Even with wildcard matching, Bash permission patterns are intentionally limited in scope. A determined command — or an AI agent that simply phrases things differently — can bypass them in several ways:
Bypass MethodExample
Options before valuecurl -X GET http://evil.com bypasses Bash(curl http://evil.com:*)
Shell variablesURL=http://evil.com && curl $URL bypasses the URL pattern
Flag reorderingrm -r -f / bypasses Bash(rm -rf:*)
Extra whitespacerm -rf / (double space) bypasses the pattern
Shell wrapperssh -c "rm -rf /" bypasses Bash(rm:*) entirely
Because permission rules compare the raw command string against a pattern, any variation in spacing, flag order, or command wrapping can cause a block to silently fail to apply.

Semantic Analysis Examples

The table below shows how each approach handles a set of real-world scenarios:
ScenarioPermission RulesCC Safety Net
git checkout -b feature (safe)Blocked by Bash(git checkout:*)Allowed
git checkout -- file (dangerous)Blocked by Bash(git checkout:*)Blocked
rm -rf /tmp/cache (safe)Blocked by Bash(rm -rf:*)Allowed
rm -r -f / (dangerous)Allowed (flag order)Blocked
bash -c 'git reset --hard'Allowed (wrapper)Blocked
python -c 'os.system("rm -rf /")'Allowed (interpreter)Blocked
With pattern matching, you face an unavoidable tradeoff: broad patterns cause false positives on safe commands, while narrow patterns leave gaps that dangerous variants slip through. Semantic analysis resolves this by evaluating what each command actually does.

Defense in Depth

PreToolUse hooks run before the permission system. This means CC Safety Net inspects every Bash command first, regardless of how your permission deny rules are configured. Even if you misconfigure or forget to add a deny rule, CC Safety Net provides a fallback layer that catches known-destructive operations before they ever reach the permission check.
Use both together for the strongest protection: configure permission deny rules for quick, user-configurable blocks on commands specific to your workflow; rely on CC Safety Net for robust, bypass-resistant protection that works out of the box without any manual tuning.