---
title: Pre-receive hooks
slug: pre-receive-hooks
docTags: 
createdAt: 2024-04-18T14:12:05.188Z
---

## Using pre-receive hooks

Pre-receive hooks are custom scripts executed by Git on the server-side every time new commits are pushed to a repository. They inspect incoming changes before they are accepted into the repository, allowing for enforcement of standards and rules without requiring users to install pre-commit hooks.

**NOTE**: Not all Git distributions are created equal; providers often require users to either self-host their Git instance. Generally, hooks are run as executable scripts, but specific implementation details of pre-receive hooks depend on the provider. Please consult your provider's relevant documentation for setting up pre-receive hooks.

To run as a pre-receive hook, the scanner will need to be run via bash script, using the `git` scanner. The `--bare` option is needed as the full repository is not available in the context of a pre-receive hook.

The `trufflehog` binary will need to be set as executable and in the `$PATH` variable for the Git instance. The below example should work for most providers. Consult your provider documentation for appropriate file naming; some providers will accept arbitrary script names, e.g. `trufflehog_hook.sh`, while providers like GitLab require that the script name reflect the hook type, e.g. `pre_receive`.

**NOTE:** `trufflehog` in the script below refers to the open-source scanner.

### Pre-receive script for TruffleHog

```shell
#!/bin/bash

/trufflehog --no-update git --bare file://. --only-verified --fail
```