What Are Git Hooks?

Hooks are scripts that run at different steps during the commit process. They are completely customizable and will trigger events at key points during the development life cycle. Some examples of hooks are:

• Rejecting/accepting commit messages based on formatting
• Notifying key personnel when high-risk code changes
• Starting the build process to update the development environment
• Triggering a scan of the code or application

Commit hooks are categorized into two buckets: Client-Side Hooks and Server-Side Hooks. Client-Side hooks reside on the developer’s local machine, while server-side hooks reside on a central server. Within each hook category, a hook can be called before, during, or after a commit.

Client-Side Hooks

Pre-Commit

The pre-commit hook runs on the git commit command before Git checks for a commit message or generates a commit object. This hook can be used to run any tests on the snapshot that is about to be committed

Examples:

• Search for secrets left in the code 
• Abort a commit if a high-risk file or folder has been changed
• Run a linter to ensure code is following coding standards

Prepare-Commit-Msg

The prepare-commit-msg hook runs just after the pre-commit hook (assuming that the commit has not aborted) to populate the commit message with text. This hook can be used as a template to prepare the commit message that gets printed with the commit. It will save time by automatically formatting and pulling certain commit information, like the branch name, issue, or developer name. 

Examples: 

• Populate a list of false positive results from a scan run during the pre-commit hook
• Generate a message with the associated issue from your issue tracker
• Generate a message template for different types of commits: message (-m or -F option), merge (if the commit is a merge), template (-t option), squash (if a commit squashes commits)

Commit

The commit-msg hook runs after the prepare-commit-msg hook and after the user completes the commit message. Where the prepare-commit-msg hook prepares the template for the message, this commit-msg hook checks that the message has been properly formatted. The user could have changed the commit message from the prepare-commit-msg hook. This hook can verify and warn the user of the message error or can abort the commit entirely. 

Examples: 

• Checking that the false positives were not removed from the prepare-commit-msg hook
• Checking that the message is not blank and contains the issue number

Post-Commit

The post-commit hook runs immediately after the commit-msg hook successfully runs. This hook will not change the status of the overall commit. Instead, this hook is used to notify any necessary people or processes. 

Examples:

• Send a slack notification to inform that high-risk code has changed
• Send an email to the team lead to start code review

Pre-Rebase

The pre-rebase hook runs before the rebase takes place. This hook can be used to check that the rebase will not break the git history since a rebase could be dangerous. Usually, the logic in this script is a bit more complex than other scripts. You can view a default pre-rebase hook with the sample script by typing: cat .git/hooks/pre-rebase.sample. 

Examples:

• Completely disallow rebasing
• Allow rebasing only if topic branch has not merged into the next mainline branch

Post-Checkout

The post-checkout hook runs after a successful call from git checkout. This hook can be used to set up the development environment after switching branches. 

Examples:

• Installing dependencies that are in the checked out branch that are not required in other branches
• Removing any unnecessary files that have been ignored during the git checkout process
• Update any hook scripts that have been altered

Server-Side Hooks

Pre-Receive

The pre-receive hook runs anytime a client pushes a commit using git push. 

Examples:

• Reject a push if secrets are committed in the code
• Reject a push if a user has committed to a disallowed folder
• Reject a push if the commit has bypassed a code review

Post-Receive

The post-receive hook runs after a push commit runs successfully. This hook is used to send notifications on a successful git push. This hook is similar to the client-side hook post-commit but would be a more logical place to perform notifications as this hook resides on a central server. 

Examples:

• Send an email notification to the engineering team
• Trigger a call to the server that can run a SAST/DAST scan

With the freedom of customizing git hooks to do virtually anything within your commit process, you can write scripts that will provide extra layers of security in your Secure Software Development Lifecycle. You can visit our Commit Hooks Lesson where we step through creating our own hook to search for secrets left in code. Want to learn about Threat Modeling? Check out this article for a practical introduction to the topic, which includes a free threat modeling template!

Note: This article was adapted from the Commit Hooks lesson in our training platform. Want to learn more about our secure coding and application security training? Contact us to schedule a conversation.