This repository uses automated pre-commit hooks to scan for security vulnerabilities, exposed secrets, API keys, passwords, and other sensitive data before code is committed.
The pre-commit hooks perform the following security checks:
- Semgrep: Scans for hardcoded secrets, API keys, passwords, and security anti-patterns
- TruffleHog: Detects high-entropy strings and known secret patterns
- GitLeaks: Additional secret detection with pattern matching
- Built-in Checks: Detects private keys, AWS credentials, large files, and trailing whitespace
Install the required tools:
# Install pre-commit framework
pip install pre-commit
# Install Semgrep
pip install semgrep
# Install TruffleHog (requires Go)
go install github.com/trufflesecurity/trufflehog/v3@latest
# Install GitLeaks (alternative: download binary from releases)
go install github.com/gitleaks/gitleaks/v8@latest
# Or use package managers:
# macOS
brew install pre-commit semgrep trufflehog gitleaks
# Ubuntu/Debian
pip install pre-commit semgrep
# Download TruffleHog and GitLeaks binaries separately- Install the hooks in your local repository:
cd /path/to/github-security-testbed
pre-commit install- Verify installation:
pre-commit --versionYou should see output like: pre-commit 3.x.x
- (Optional) Run against all files to test:
pre-commit run --all-filesOnce installed, the hooks run automatically on every git commit:
git add myfile.js
git commit -m "Add new feature"
# Pre-commit hooks will run automaticallyRun hooks manually without committing:
# Scan all files
pre-commit run --all-files
# Scan specific files
pre-commit run --files src/auth.js src/config.js
# Run specific hook only
pre-commit run semgrep --all-files
pre-commit run trufflehog --all-filesIf you need to bypass hooks temporarily (not recommended for security-sensitive changes):
git commit --no-verify -m "Emergency fix"If a secret or security issue is found:
- Commit is blocked - Your commit will fail
- Results are displayed - You'll see which files and lines contain issues
- Fix the issues - Remove or properly secure the detected secrets
- Retry commit - After fixing, try committing again
Example output:
Semgrep Security Scan........................................Failed
- hook id: semgrep
- exit code: 1
src/config.js
severity:error rule:generic.secrets.gitleaks.generic-api-key
Found hardcoded API key
Line 12: const API_KEY = "sk_live_51234567890abcdef"
The hook configuration is in .pre-commit-config.yaml. You can customize:
- Semgrep rules: Modify
argsunder the Semgrep hook - File exclusions: Update
excludepatterns - Hook versions: Update
revvalues to newer versions
Example customization:
- id: semgrep
args:
- --config=p/secrets
- --config=p/owasp-top-ten # Add more rulesets
- --error# Update pre-commit
pip install --upgrade pre-commit
# Reinstall hooks
pre-commit uninstall
pre-commit install# Ensure Semgrep is in PATH
which semgrep
pip install --upgrade semgrep# Check installation
which trufflehog
which gitleaks
# Add Go bin to PATH if needed
export PATH=$PATH:$(go env GOPATH)/bin# Update to latest hook versions
pre-commit autoupdate
# Or disable specific slow hooks
# (comment out in .pre-commit-config.yaml)- Never commit secrets - Use environment variables or secret management tools
- Use .gitignore - Exclude files with sensitive data (
.env,secrets.json) - Regular updates - Keep hooks updated:
pre-commit autoupdate - Team adoption - Ensure all developers install hooks
- CI/CD integration - Run same checks in CI pipeline (see
.github/workflows/)
For issues with the hooks:
- Check this documentation
- Run
pre-commit run --all-files --verbosefor detailed output - Review
.pre-commit-config.yamlconfiguration - Open an issue in this repository