Block secrets from leaking

Pre-commit hooks

22min

Using pre-commit hooks

Pre-commit hooks are a useful way to prevent secrets in code from being pushed from a git repository. Preventing them from being leaked in the first place is always the best approach. If you run your own git server, consider the pre-receive hook option which can block commits with secrets from being accepted.

This guide covers how to set up TruffleHog as a pre-commit hook using two popular frameworks:

  1. Git's hooksPath feature - A built-in Git feature for managing hooks globally
  2. Using Pre-commit framework - A language-agnostic framework for managing pre-commit hooks
  3. Using Husky - A Git hooks manager for JavaScript/Node.js projects

Prerequisites

All of the methods require TruffleHog to be installed.

  1. Install TruffleHog:
Bash


Global setup using Git's hooksPath feature

This approach uses Git's core.hooksPath to apply hooks to all repositories without requiring any per-repository setup:

  1. Create a global hooks directory:
Bash

  1. Create a pre-commit hook file:
Bash

  1. Add the following content to ~/.git-hooks/pre-commit:
Using local binary
Using Docker

  1. Configure Git to use this hooks directory globally:
Bash


Now all your repositories will automatically use this pre-commit hook without any additional setup.

Using the Pre-commit Framework

The pre-commit framework is a powerful, language-agnostic tool for managing Git hooks.

Installation of Pre-commit

  1. Install the pre-commit framework:
Bash


Repository-Specific Setup

To set up TruffleHog as a pre-commit hook for a specific repository:

  1. Create a .pre-commit-config.yaml file in the root of your repository:
Using local binary
Using Docker

  1. Install the pre-commit hook:
Bash


Using Husky

Husky is a popular tool for managing Git hooks in JavaScript/Node.js projects.

Installation of Husky

  1. Install Husky in your project:
Bash

  1. Enable Git hooks:
Bash


Setting Up TruffleHog with Husky

  1. Add the following content to .husky/pre-commit:
Using local binary
Using Docker


Best Practices

Commit Process

For optimal hook efficacy:

  1. Execute git add followed by git commit separately. This ensures TruffleHog analyzes all intended changes.
  2. Avoid using git commit -am, as it might bypass pre-commit hook execution for unstaged modifications.

Skipping Hooks

In rare cases, you may need to bypass pre-commit hooks:

Bash


Troubleshooting

Hook Not Running

If your pre-commit hook isn't running:

  1. Ensure the hook is executable:

    Bash
    
  2. Check if hooks are enabled:

    Bash
    

False Positives

If you're getting false positives:

  1. Use the --results=verified flag to only show verified secrets
  2. Add trufflehog:ignore comments on lines with known false positives or risk-accepted findings

Conclusion

By integrating TruffleHog into your pre-commit workflow, you can prevent credential leaks before they happen. Choose the setup method that best fits your project's needs and development workflow.

For more information on TruffleHog's capabilities, refer to the main documentation.