Git Hooks

Git Hooks Setup

Scan for secrets automatically on every commit or push. One command sets everything up. Secrets never leave your machine.

Quick install

The pretense install command sets up git hooks in one step. Run it from any git repository.

pre-commit

Recommended

Scans staged files before each commit. If secrets are found, the commit is blocked with a clear error message showing the file, line, and secret type. This is the recommended mode for most teams.

terminal
pretense install --mode pre-commit

What this does

  • Creates .git/hooks/pre-commit (or updates it if one exists)
  • Runs pretense scan pre-commit on every git commit
  • Only scans staged files (fast, even in large repos)
  • Blocks the commit if critical secrets are found

pre-push

Scans all files in the push range before pushing to the remote. Allows local commits with secrets (useful for WIP commits) but blocks them from reaching the remote.

terminal
pretense install --mode pre-push

What this does

  • Creates .git/hooks/pre-push (or updates it if one exists)
  • Runs pretense scan pre-push on every git push
  • Scans all commits in the push range
  • Blocks the push if secrets are found in any commit

Manual hook setup

If you prefer to manage hooks manually, create the hook files directly. Make sure they are executable.

pre-commit hook

.git/hooks/pre-commit
#!/bin/sh
# .git/hooks/pre-commit
set -e

pretense scan pre-commit

exit_code=$?
if [ $exit_code -eq 2 ]; then
  echo ""
  echo "Commit blocked: secrets detected in staged files."
  echo "Run 'pretense scan <file>' to see details."
  exit 1
fi

exit 0

Make it executable: chmod +x .git/hooks/pre-commit

pre-push hook

.git/hooks/pre-push
#!/bin/sh
# .git/hooks/pre-push
set -e

remote="$1"
url="$2"

while read local_ref local_sha remote_ref remote_sha; do
  if [ "$local_sha" != "0000000000000000000000000000000000000000" ]; then
    if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
      range="$local_sha"
    else
      range="$remote_sha..$local_sha"
    fi
    pretense scan commit-range "$range"
  fi
done

exit 0

Make it executable: chmod +x .git/hooks/pre-push

Husky and lint-staged

If your project already uses Husky or lint-staged for git hooks, add Pretense as an additional step.

Husky setup

terminal
# 1. Add Pretense to your package.json prepare script
npm pkg set scripts.prepare="husky"

# 2. Create the pre-commit hook
echo 'pretense scan pre-commit' > .husky/pre-commit

# 3. Make it executable
chmod +x .husky/pre-commit

lint-staged config

package.json
// package.json (with lint-staged)
{
  "lint-staged": {
    "*.{ts,tsx,js,jsx,py,go,java}": [
      "pretense scan"
    ]
  }
}

Bypassing hooks

In rare cases you may need to skip the Pretense hook. Use the standard git flag:

git commit --no-verify -m "emergency fix"

Bypassed commits are flagged in the Pretense audit log. Your CI pipeline should run pretense scan ci as a safety net.

Next steps

Git hooks are configured. Here is where to go deeper.

CI/CD Integration
GitHub Actions, GitLab CI, SARIF output
Configuration
.pretense.yaml and .pretenseignore reference
CLI Reference
All commands with flags and examples
Quickstart
Full setup walkthrough in 60 seconds
Was this page helpful?