Batou: Generation-time SAST for Claude Code (Runtime security, while the AI is typing)
AI coding is fast. Security feedback is usually not.
Most SAST runs after the code is written, committed, and pushed. With Claude Code, that gap gets painful because the model can generate vulnerabilities just as quickly as it generates features. We wanted the tightest possible loop: write code → scan it immediately → feed the fix back to Claude before the mistake becomes “real.”
So we built Batou, a security scanner that runs as a Claude Code hook and inspects every Write, Edit, and NotebookEdit operation in real time.
Why we built it: a tight feedback loop between SAST and Claude Code
Claude Code already has the key primitive: hooks that run before and after tool execution. Batou plugs into that.
- PreToolUse: scan the code before it is written. If it is critical, block the write (exit code
2) and give fix guidance. - PostToolUse: run deeper analysis after the write and send Claude more context so it can clean things up while it is still “in the zone.”
That is the whole point: don’t wait for CI to yell at you later. Catch the issue at the moment it is created.
MIT license: business-friendly from day one
We released Batou under the MIT License because we wanted it to be easy to adopt in real projects, including commercial ones. Use it, fork it, ship it, embed it in your workflow.
We were tired of telling Claude the same things
If you use AI tools a lot, you know the loop:
“Don’t do string-concat SQL.”
“Don’t useinnerHTMLwith user input.”
“Don’t hardcode secrets.”
“Validate inputs.”
“Use parameterized queries.”
And then, a few prompts later, you are saying it again.
Batou turns those reminders into a consistent, automatic guardrail. The rules run on every write, every time, without relying on someone to nag the model.
What Batou actually does (in plain terms)
Batou scans code across 16 languages using a four-layer pipeline.
Layer 1: Regex rules (fast, wide net)
A quick first pass with 676 rules across 43 categories.
This is where you catch the obvious stuff quickly: dangerous calls, suspicious patterns, secret-looking strings, insecure crypto configs, and common framework footguns.
Layer 2: AST parsing (reduce dumb false positives)
Batou parses files using tree-sitter and uses the AST to suppress findings that are clearly just comments, plus it enables structure-aware checks that regex cannot do well.
Layer 3: Taint analysis (source-to-sink dataflow)
This is the “is it actually exploitable?” layer. Batou tracks flow from inputs (sources) to dangerous operations (sinks), accounting for sanitizers, across multiple engines and a 1,069-entry taint catalog.
Layer 4: Call graph (interprocedural, cross-file)
Batou persists context across a session, so it can follow taint across functions and even across files (within limits), instead of treating each write in isolation.
Installation and hooking it into Claude Code
Batou ships with a one-liner install, plus a “setup this project” option.
curl -fsSL https://raw.githubusercontent.com/turenlabs/batou/main/install.sh | bash
Project setup:
curl -fsSL https://raw.githubusercontent.com/turenlabs/batou/main/install.sh | bash -s -- --setup /path/to/your/project
Or install hooks globally:
curl -fsSL https://raw.githubusercontent.com/turenlabs/batou/main/install.sh | bash -s -- --global
Under the hood, it configures .claude/settings.json to run Batou on both PreToolUse and PostToolUse for Write|Edit|NotebookEdit.
Where this goes next
Some obvious next steps:
- Better per-project config (enable/disable rules, severity tuning)
- SARIF output for CI and IDE integrations
- Deeper framework-specific understanding
- Stronger cross-file and cross-module tracking
Batou is open source and MIT licensed, so if you want to help shape “security at generation time,” jump in here: (GitHub)
Curious what we're building? Sign up for a trial at https://dashboard.turen.io/.
