Rule Reference

SEC383lintai-ai-securitypreviewclaude_settingswarn

Claude settings: missing `matcher` on matcher-capable hook event

Claude settings should set `matcher` on matcher-capable hook events

Provider: lintai-ai-security
Surface: claude_settings
Scope: per_file
Tier: preview
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared committed Claude settings for exact omission of `matcher` on matcher-capable hook events.

Deterministic signal basis

ClaudeSettingsSignals exact hook-event and matcher absence detection in parsed Claude settings JSON.

Malicious corpus

claude-settings-missing-required-matcher

Benign corpus

claude-settings-required-matcher-present-safe

structured evidence required remediation reviewed

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC361Claude settings: missing `$schema`Claude settings file is missing a top-level `$schema` referenceclaude_settingspreview

SEC363Claude settings: home-directory hook pathClaude settings hook command uses a home-directory path in a shared committed configclaude_settingspreview

SEC365Claude settings: non-HTTPS allowed HTTP hook URLClaude settings allow non-HTTPS HTTP hook URLs in a shared committed configclaude_settingspreview

SEC366Claude settings: dangerous HTTP hook host literalClaude settings allow dangerous host literals in `allowedHttpHookUrls`claude_settingspreview

SEC368Claude settings: repo-external absolute hook pathClaude settings hook command uses a repo-external absolute path in a shared committed configclaude_settingspreview

SEC381Claude settings: command hook missing `timeout`Claude settings command hook should set `timeout` in a shared committed configclaude_settingspreview

SEC383 / CLAUDE-HOOK-MISSING-MATCHER

SEC383 flags shared Claude settings when a matcher-capable hook event such as PreToolUse or PostToolUse omits matcher entirely.

Why It Matters

This is a quiet scope bug. Reviewers often expect PreToolUse and PostToolUse hooks to be explicitly scoped to the relevant tools. When matcher is omitted, the shared config can look intentionally targeted while actually behaving more broadly than expected.

Trigger Shape

The rule triggers only when all of these are true:

the file is a detected Claude settings surface
the path is not fixture-like
a PreToolUse or PostToolUse hook entry contains hooks
that same entry omits matcher

Clean Cases

These stay clean:

PreToolUse entries with explicit matcher
PostToolUse entries with explicit matcher
non-matcher events such as Stop
fixture-like examples under test or fixture paths

Example Trigger

json

{
  "hooks": {
    "PreToolUse": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "echo done",
            "timeout": 5
          }
        ]
      }
    ]
  }
}

Safer Example

json

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "echo done",
            "timeout": 5
          }
        ]
      }
    ]
  }
}

How To Fix

Add an explicit matcher to each shared PreToolUse or PostToolUse entry, or move the hook under a broader event if scoped matching is not intended.

Claude settings: missing `matcher` on matcher-capable hook event

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC383 / CLAUDE-HOOK-MISSING-MATCHER ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​