Reusable pre-commit hooks for GitOps, security, and multi-agent workflows.
| Hook | Description |
|---|---|
check-branch-staleness |
Fail if branch is behind the default branch. Prevents stale commits in multi-agent or team workflows. |
trivy-deps |
Scan dependency lockfiles for HIGH/CRITICAL CVEs. Catches what trivy config misses. |
no-hardcoded-secrets |
Detect hardcoded passwords and API keys in YAML files. |
require-signed-commits |
Block commits where commit.gpgsign is not true or user.signingkey is unset. |
Add to your .pre-commit-config.yaml:
- repo: https://github.com/injectedfusion/pre-commit-hooks
rev: v0.1.0
hooks:
- id: check-branch-staleness
- id: trivy-deps
- id: no-hardcoded-secretsThen install:
pip install pre-commit # if not already installed
pre-commit installSome hooks (like require-signed-commits) enforce personal discipline that shouldn't be imposed on teammates. Use a global git hook instead — fires on every repo with zero per-repo setup:
mkdir -p ~/.config/git/hooks
git config --global core.hooksPath ~/.config/git/hooksCreate ~/.config/git/hooks/pre-commit:
#!/usr/bin/env bash
set -euo pipefail
# Personal check (e.g. signing)
gpgsign="$(git config --get commit.gpgsign 2>/dev/null || echo 'false')"
if [[ "$gpgsign" != "true" ]]; then
echo "✗ Unsigned commit blocked: commit.gpgsign is not set to true"
exit 1
fi
signingkey="$(git config --get user.signingkey 2>/dev/null || echo '')"
if [[ -z "$signingkey" ]]; then
echo "✗ Unsigned commit blocked: user.signingkey is not set"
exit 1
fi
# Chain to repo pre-commit config if present
repo_root="$(git rev-parse --show-toplevel)"
for config in "$repo_root/.pre-commit-config.local.yaml" "$repo_root/.pre-commit-config.yaml"; do
if [[ -f "$config" ]]; then
exec pre-commit run --config "$config" --hook-stage pre-commit
fi
donechmod +x ~/.config/git/hooks/pre-commitFetches the remote default branch and fails if the current branch is behind. Auto-detects the default branch (main, develop, master, etc.) — no configuration needed.
Designed for workflows where multiple developers or AI agents work concurrently on the same repo, preventing commits against stale state.
Behavior:
- Skips on the default branch itself
- Gracefully skips if offline
- Shows which commits are missing
Scans dependency lockfiles for known vulnerabilities using Trivy. Triggers on changes to:
Cargo.lock, package-lock.json, go.sum, requirements.txt, poetry.lock, pnpm-lock.yaml, yarn.lock, Gemfile.lock, composer.lock
Requires: trivy installed locally (brew install trivy).
Regex-based detection of hardcoded credentials in YAML files. Catches patterns like:
password: "AcT3kR9base64string..."
api_key: 'longSecretValue123...'Ignores common templating patterns ($__env{}, secretRef, existingSecret).
- pre-commit >= 2.0
git(forcheck-branch-staleness)trivy(fortrivy-deps, optional — hook skips gracefully if missing)
MIT