How to Add a Secret Scanning pre-commit Hook
A pre-commit hook runs the scanner on staged changes, blocking a commit before a secret is ever recorded.
Add the Gitleaks hook to .pre-commit-config.yaml and run pre-commit install. The hook scans staged files on every git commit.
Steps
- Add the
gitleakshook to.pre-commit-config.yaml. - Run
pre-commit installto register the git hook. - Keep the CI scan too, since local hooks can be skipped.
Config
.pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaksGotchas
git commit --no-verifyskips the hook, so a server-side CI gate is still required.- Local hooks scan staged diffs only, not the full history a CI job should also cover.
Related guides
How to Add detect-secrets as a pre-commit HookWire Yelp detect-secrets into pre-commit so candidate secrets are caught on the developer machine before they…
How to Set Up Gitleaks Secret Scanning in CIAdd Gitleaks secret scanning to a GitHub Actions workflow with gitleaks/gitleaks-action, so every push and pu…