We all write bad commit messages. "fix stuff", "wip", "asdf" — you know the ones. And we've all accidentally staged an .env file at 2 a.m. git-ai-pilot fixes both problems with a single command.
What is git-ai-pilot?
git-ai-pilot is an open-source CLI tool that replaces your entire git pull → add → commit → push loop with one command: git-auto. Under the hood it:
- Asks if you want to pull the latest changes
- Scans your working directory for secrets before staging anything
- Aborts immediately if secrets are found — before they ever enter git history
- Stages all modified files
- Generates a descriptive commit message using Google Gemini (falls back to OpenAI)
- Commits and pushes to your remote
- Prints the direct commit URL so you can share it instantly
╔══════════════════════════════════════════════╗
║ ✈️ Git AI Pilot v1.2.9 ║
╚══════════════════════════════════════════════╝
? Pull latest changes from remote? (y/n) › yes
[1/5] ✔ Pulled latest changes
[2/5] ✔ Security scan passed
[3/5] ✔ All files staged
[4/5] ✔ Commit message ready
↳ "✨ feat: add user authentication with JWT"
[5/5] ✔ Committed and pushed to remote
↳ https://github.com/you/repo/commit/abc1234
╔══════════════════════════════════════════════╗
║ ✅ Workflow completed successfully! ║
╚══════════════════════════════════════════════╝
Installation
You need Node.js v18+ and a Git repository with a remote configured.
npm install -g git-ai-pilot
Verify:
git-auto --version
On first run the setup wizard asks for your API key(s):
git-auto
# ⚠ No API key configured yet.
# ↳ Get a free Gemini key: https://aistudio.google.com/app/apikey
#
# › Gemini API Key (primary, free) :
# › OpenAI API Key (fallback, optional) :
Keys are stored in ~/.git-ai-pilot/config.json — never inside your project.
You can also set or update keys any time:
git-auto --config
The Full Git Workflow — Automated
Once configured, every commit is just:
cd your-project
git-auto
Here's exactly what happens behind the scenes:
Step 1 — Interactive Pull
? Pull latest changes from remote? (y/n) ›
Press y or Enter to pull, n to skip. No flags, no arguments — just one keypress.
Step 2 — Security Scan (before git add)
This is the most important step and the one that sets git-ai-pilot apart. The scan runs before staging, so secrets are caught before they ever touch git history.
It detects two categories of problems:
Sensitive files by filename:
| File | Severity |
|---|---|
.env, .env.local, .env.production
|
CRITICAL |
id_rsa, id_ed25519 (SSH private keys) |
CRITICAL |
*.pem, *.p12, *.pfx, *.keystore
|
CRITICAL |
credentials.json, secrets.yml
|
CRITICAL |
serviceAccountKey.json |
CRITICAL |
.netrc, .pgpass, .npmrc
|
CRITICAL |
Inline secret patterns in changed lines:
| Pattern | Severity |
|---|---|
| AWS Access/Secret Key | CRITICAL |
| Google API Key | CRITICAL |
| OpenAI API Key | CRITICAL |
| GitHub Token | CRITICAL |
| Stripe Secret Key | CRITICAL |
Private Key header (-----BEGIN PRIVATE KEY-----) |
CRITICAL |
| Database URLs with embedded credentials | CRITICAL |
Unquoted ENV secrets (API_KEY=sk-abc123) |
HIGH |
| Slack tokens, JWT tokens | HIGH |
| Hardcoded password strings | MEDIUM |
When a secret is found, the workflow stops immediately:
━━━ Security Scan Report ━━━
✖ 2 secret(s) found:
Critical : 1
High : 1
[CRITICAL] Sensitive file committed (.env file)
.env
[HIGH] ENV Secret Variable
src/config.ts:8
→ OPENAI_API_KEY=sk-abc123...
Result: BLOCKED — secrets detected
❌ Aborted: secrets detected in working directory.
Report saved to: .security-reports/security-report-1234567890.json
Remove the secrets before running git-auto again.
The tool also runs a dependency vulnerability audit — and it's not just npm. It auto-detects your project type and runs the right auditor:
| Language | Tool |
|---|---|
| Node.js | npm audit |
| Python | pip-audit |
| PHP | composer audit |
| Go | govulncheck |
| Ruby | bundle-audit |
| Rust | cargo audit |
| .NET | dotnet list |
Step 3 — Stage
# equivalent of:
git add .
Only runs after a clean security scan.
Step 4 — AI Commit Message
The staged diff is sent to Gemini (or OpenAI as fallback). The prompt instructs the AI to follow conventional commits with emoji prefixes:
✨ feat: add JWT-based authentication middleware
🐛 fix: resolve null pointer in user service
🔒 security: rotate API key references to env vars
♻️ refactor: extract payment logic into service layer
📝 docs: update API endpoint documentation
The fallback chain is automatic:
// ai-service.ts (simplified)
try {
return await generateCommitMessageGemini(diff);
} catch {
return await generateCommitMessageOpenAI(diff);
}
If both fail, the error message tells you exactly why each provider failed.
Step 5 — Commit & Push
# equivalent of:
git commit -m "✨ feat: ..."
git push
After the push, the CLI resolves the commit hash and prints the direct link — works with both HTTPS and SSH remotes:
↳ https://github.com/you/repo/commit/a3f9c2e
All Available Commands
| Command | What it does |
|---|---|
git-auto |
Run the full workflow |
git-auto --config |
Set or update API keys interactively |
git-auto --custom-command <name> |
Create a custom alias (e.g. gitsync) |
git-auto --reset-command |
Remove the custom alias |
git-auto --show-command |
Show the active command name |
git-auto --help |
Full help screen with live API key status |
git-auto --version |
Show the current version |
Custom alias example
If you want an even shorter command:
git-auto --custom-command gitsync
# Now you can just run:
gitsync
Auto Update Notifications
Every time you run git-auto, it silently checks npm for a newer version (with a 3 s timeout so it never blocks your workflow). When an update is available:
╔══════════════════════════════════════════════════╗
║ 🚀 Update available v1.2.8 → v1.2.9 ║
║ Run: npm install -g git-ai-pilot ║
╚══════════════════════════════════════════════════╝
Your stored API keys survive updates — they live in ~/.git-ai-pilot/config.json independently of the package.
The Tech Stack
git-ai-pilot is built with TypeScript in a Turborepo monorepo. The key dependencies:
| Package | Role |
|---|---|
simple-git |
Git operations (pull, add, commit, push, diff) |
@google/genai |
Gemini AI integration |
openai |
OpenAI fallback |
chalk |
Colored terminal output |
ora |
Animated spinners |
commander |
CLI flag parsing |
inquirer |
Interactive prompts |
The source is clean and readable — the entire workflow lives in apps/cli/src/index.ts as a single runGitWorkflow() function, and each concern (AI, security, config, update check) is a separate module.
Quick Start Checklist
# 1. Install
npm install -g git-ai-pilot
# 2. Get a free Gemini API key
# → https://aistudio.google.com/app/apikey
# 3. Go to any project with uncommitted changes
cd your-project
# 4. Run
git-auto
# The wizard will ask for your API key on first run
# 5. Add to .gitignore
echo ".security-reports/" >> .gitignore
Who Is This For?
- Solo developers tired of writing commit messages
- Teams that want a lightweight guardrail against accidental secret commits
- CI/CD-adjacent workflows where you want consistent, readable commit history
-
Anyone who has ever committed an
.envfile to a public repo 😅
Links
- npm: npmjs.com/package/git-ai-pilot
- GitHub: github.com/mirzasaikatahmmed/git-ai-pilot
- Author: Mirza Saikat Ahmmed
Give it a star if it saves you from a late-night .env commit. And if you've built something on top of it or have a feature idea, open an issue — contributions are very welcome.
Have you tried AI-assisted commit messages? What's your current git workflow? Let me know in the comments.
Top comments (0)