Adopt
Pre-commit hooks are the earliest possible security checkpoint — catching secrets, vulnerable patterns, and policy violations before code enters version control. With 85% of organizations having plaintext secrets in repositories (2025 State of Cloud Security), and AI assistants increasing leak rates, pre-commit hooks are essential.
Why It Matters for AI-Assisted Development
AI coding assistants may inadvertently include hardcoded credentials, API keys, or tokens in generated code. Pre-commit hooks operate at the individual developer level, before code enters the shared repository:
- TruffleHog: Comprehensive secret scanner with pre-commit support via Git hookspath, pre-commit framework, or Husky
- Gitleaks / Betterleaks: Fast, lightweight secret scanners
- detect-secrets (Yelp): Baseline approach — accepts known secrets while blocking new ones
- MegaLinter: Analyzes 50 languages, 22 formats, and security issues in a single tool
Best Practices
- Defense-in-depth: Pre-commit + pre-receive + CI/CD + regular interval scanning
- Don't rely on developer discipline alone — enforce via pre-commit CI or branch protection rules
- Combine with
.gitignoreand GitHub Secret Scanning for layered protection - Use
git filter-repofor emergency response if secrets are committed
Strengths
- Shift-left security at the earliest possible point
- Low friction once configured
- Catches secrets before they enter version control
Limitations
- Can be bypassed with
--no-verify - Relies on developer setup for local hooks
- Does not catch vulnerabilities in logic or architecture