Block secrets from leaking
Pre-receive hooks

2min
Using pre-receive hooks
Pre-receive hooks are custom scripts executed by Git on the server-side every time new commits are pushed to a repository. They inspect incoming changes before they are accepted into the repository, allowing for enforcement of standards and rules without requiring users to install pre-commit hooks.
NOTE: Not all Git distributions are created equal; providers often require users to either self-host their Git instance. Generally, hooks are run as executable scripts, but specific implementation details of pre-receive hooks depend on the provider. Please consult your provider's relevant documentation for setting up pre-receive hooks.
To run as a pre-receive hook, the scanner will need to be run via bash script, using the git scanner. The --bare option is needed as the full repository is not available in the context of a pre-receive hook.
The trufflehog binary will need to be set as executable and in the $PATH variable for the Git instance. The below example should work for most providers. Consult your provider documentation for appropriate file naming; some providers will accept arbitrary script names, e.g. trufflehog_hook.sh, while providers like GitLab require that the script name reflect the hook type, e.g. pre_receive.
NOTE: trufflehog in the script below refers to the open-source scanner.
Pre-receive script for TruffleHog
Shell
#!/bin/bash

/trufflehog --no-update git --bare file://. --only-verified --fail
#!/bin/bash

/trufflehog --no-update git --bare file://. --only-verified --fail
﻿
﻿
Pre-commit hooks
Deployment