Block secrets from leaking

Pre-receive hooks

2min

Using pre-receive hooks

Pre-receive hooks are custom scripts executed by Git on the server-side every time new commits are pushed to a repository. They inspect incoming changes before they are accepted into the repository, allowing for enforcement of standards and rules without requiring users to install pre-commit hooks.

NOTE: Not all Git distributions are created equal; providers often require users to either self-host their Git instance. Generally, hooks are run as executable scripts, but specific implementation details of pre-receive hooks depend on the provider. Please consult your provider's relevant documentation for setting up pre-receive hooks.

To run as a pre-receive hook, the scanner will need to be run via bash script, using the git scanner. The --bare option is needed as the full repository is not available in the context of a pre-receive hook.

The trufflehog binary will need to be set as executable and in the $PATH variable for the Git instance. The below example should work for most providers. Consult your provider documentation for appropriate file naming; some providers will accept arbitrary script names, e.g. trufflehog_hook.sh, while providers like GitLab require that the script name reflect the hook type, e.g. pre_receive.

NOTE: trufflehog in the script below refers to the open-source scanner.

Pre-receive script for TruffleHog

Shell




Updated 23 Apr 2024
Doc contributor
Did this page help you?