Git Hooks
Git Hooks Setup
Scan for secrets automatically on every commit or push. One command sets everything up. Secrets never leave your machine.
Quick install
The pretense install command sets up git hooks in one step. Run it from any git repository.
pre-commit
RecommendedScans staged files before each commit. If secrets are found, the commit is blocked with a clear error message showing the file, line, and secret type. This is the recommended mode for most teams.
pretense install --mode pre-commitWhat this does
- •Creates .git/hooks/pre-commit (or updates it if one exists)
- •Runs pretense scan pre-commit on every git commit
- •Only scans staged files (fast, even in large repos)
- •Blocks the commit if critical secrets are found
- •Exits cleanly if no secrets are detected
pre-push
Scans all files in the push range before pushing to the remote. Allows local commits with secrets (useful for WIP commits) but blocks them from reaching the remote. Best for teams that prefer flexible local workflows.
pretense install --mode pre-pushWhat this does
- •Creates .git/hooks/pre-push (or updates it if one exists)
- •Runs pretense scan pre-push on every git push
- •Scans all commits in the push range
- •Blocks the push if secrets are found in any commit
- •WIP commits with secrets are allowed locally
Manual hook setup
If you prefer to manage hooks manually, create the hook files directly. Make sure they are executable.
pre-commit hook
#!/bin/sh # .git/hooks/pre-commit # Pretense secret scanner -- blocks commits containing secrets set -e # Only scan staged files pretense scan pre-commit exit_code=$? if [ $exit_code -eq 2 ]; then echo "" echo "Commit blocked: secrets detected in staged files." echo "Run 'pretense scan <file>' to see details." echo "Use 'git commit --no-verify' to bypass (not recommended)." exit 1 fi exit 0
Make it executable: chmod +x .git/hooks/pre-commit
pre-push hook
#!/bin/sh
# .git/hooks/pre-push
# Pretense secret scanner -- blocks pushes containing secrets
set -e
remote="$1"
url="$2"
while read local_ref local_sha remote_ref remote_sha; do
if [ "$local_sha" != "0000000000000000000000000000000000000000" ]; then
if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
range="$local_sha"
else
range="$remote_sha..$local_sha"
fi
pretense scan commit-range "$range"
fi
done
exit 0Make it executable: chmod +x .git/hooks/pre-push
Husky and lint-staged
If your project already uses Husky or lint-staged for git hooks, add Pretense as an additional step.
Husky setup
# If you already use Husky for git hooks: # 1. Add Pretense to your package.json prepare script npm pkg set scripts.prepare="husky" # 2. Create the pre-commit hook echo 'pretense scan pre-commit' > .husky/pre-commit # 3. Make it executable chmod +x .husky/pre-commit
lint-staged config
// package.json (with lint-staged)
{
"lint-staged": {
"*.{ts,tsx,js,jsx,py,go,java}": [
"pretense scan"
]
}
}lint-staged passes each staged file to pretense scan individually. This is slower than pretense scan pre-commit which batches all staged files, but integrates naturally with existing lint-staged pipelines.
Bypassing hooks
In rare cases you may need to skip the Pretense hook. Use the standard git flag:
git commit --no-verify -m "emergency fix"Bypassed commits are flagged in the Pretense audit log. Your CI pipeline should run pretense scan ci as a safety net for any commits that skip the local hook.
Next steps
Git hooks are configured. Here is where to go deeper.