Block secrets from leaking
Pre-commit hooks

5min
Using pre-commit hooks
Pre-commit hooks are a useful way to prevent secrets in code from being pushed from a git repository. Preventing them from being leaked in the first place is always the best approach. 

If you run your own git server, see the pre-receive hooks option which can block commits with secrets from being accepted.
Configuration
An easy way to get started is to use the pre-commit framework.
Install it via pip:
Shell
pip install pre-commit
pip install pre-commit
﻿
Then, you will need a .pre-commit-config.yaml file in your repository.
You can place the launcher in your path to use directly, or use Docker.
Pre-commit config for TruffleHog in Docker
YAML
repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git main HEAD /workdir'
      language: system
      stages: ["commit", "push"]
repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'docker run -v "$(pwd):/workdir" -it --rm us-docker.pkg.dev/thog-artifacts/public/scanner:latest git main HEAD /workdir'
      language: system
      stages: ["commit", "push"]
﻿
Pre-commit config for TruffleHog in your PATH
YAML
repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'trufflehog-launcher git main HEAD'
      language: system
      stages: ["commit", "push"]
repos:
- repo: local
  hooks:
    - id: trufflehog
      name: TruffleHog
      description: Detect secrets in your data.
      entry: bash -c 'trufflehog-launcher git main HEAD'
      language: system
      stages: ["commit", "push"]
﻿
Once your config is in place, you just need to install the hook and you should be good to go!
Shell
$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit
$ pre-commit install --allow-missing-config
pre-commit installed at .git/hooks/pre-commit
﻿
﻿
Updated 23 Apr 2024
Did this page help you?
Scanning in CI
Pre-receive hooks