DEV Community

Cover image for Gitleaks Pre-Commit Hook
Amedeo
Amedeo

Posted on

Gitleaks Pre-Commit Hook

#security #git #bash #automation

As a software engineer, sometimes when troubleshooting something I need to hardcode passwords locally to connect to DEV environments. Yeah, I could use environment variables and all that... but let's be honest - when you just want to quickly check something, hardcoding it is the fastest way. I know, I'm lazy.

Specifically, I was trying to verify that a password for connecting to Redis in DEV was correct. After adding it to the code and testing it, I had that sinking feeling about "what if I accidentally commit and push this?" That got me thinking - I really need to automate this check.

Initially I used TruffleHog and wrote a pre-commit hook script for it. But after chatting with a few colleagues, they suggested I have a look at Gitleaks instead. The key difference? TruffleHog tries to verify if secrets are actually valid, but that's not what I wanted. Even if something looks like a false positive, I want to be the one who decides that. Gitleaks just flags patterns and lets you deal with it - which is exactly the behavior I needed.

Now, Gitleaks does offer a pre-commit setup in their README, but that involves installing the pre-commit package manager and configuring it per repository. I work with over 100 repos. I need something simple that works globally across all of them, not something I have to set up individually for each project. Yes, I am still lazy..

So I wrote a script that does it all in one go.

What it does

Basically runs Gitleaks before every commit. If it finds something that looks like a secret (API keys, tokens, passwords, whatever), it blocks the commit. Simple.

Gitleaks catching a Slack token before it gets committed

One command to install:

curl -sSL https://raw.githubusercontent.com/AmedeoV/gitleaks-pre-commit-hook/refs/heads/main/gitleaks-local-git-pre-hook.sh | bash
Enter fullscreen mode Exit fullscreen mode

Then it just works everywhere. All repos, automatically protected.

Why I like it

I don't have to think about it. That's the whole point. I code, I commit, if there's something sensitive in there, it stops me. Done.

It detects like 100+ different types of secrets out of the box. You can add custom rules too if you have specific patterns you want to catch.

One small annoyance

Sometimes it flags false positives. But you can bypass with --no-verify when you're sure it's safe. Haven't needed to do that often though.

Already saved me twice from pushing stuff I shouldn't. Feels good knowing it's there watching.

Link: github.com/AmedeoV/gitleaks-pre-commit-hook

Top comments (0)