Block secrets from leaking
Pre-receive hooks
2min
using pre receive hooks pre receive hooks are custom scripts executed by git on the server side every time new commits are pushed to a repository they inspect incoming changes before they are accepted into the repository, allowing for enforcement of standards and rules without requiring users to install pre commit hooks note not all git distributions are created equal; providers often require users to either self host their git instance generally, hooks are run as executable scripts, but specific implementation details of pre receive hooks depend on the provider please consult your provider's relevant documentation for setting up pre receive hooks to run as a pre receive hook, the scanner will need to be run via bash script, using the git scanner the bare option is needed as the full repository is not available in the context of a pre receive hook the trufflehog binary will need to be set as executable and in the $path variable for the git instance the below example should work for most providers consult your provider documentation for appropriate file naming; some providers will accept arbitrary script names, e g trufflehog hook sh , while providers like gitlab require that the script name reflect the hook type, e g pre receive note trufflehog in the script below refers to the open source scanner pre receive script for trufflehog \#!/bin/bash /trufflehog no update git bare file // only verified fail