Stop secrets before they leave your laptop (Git hooks + ggshield install)

gitguardian logo
GitGuardian
Dec 30, 2025
GitGuardian

Let's look at Git hooks, which is where ggshield really starts paying off in day-to-day developer workflow.

https://docs.gitguardian.com/ggshield-docs/home

Git hooks are built-in automation in Git. When certain events happen, like committing or pushing, Git checks for specific files inside the.git/hooks folder. If a hook file exists, Git runs it automatically. For example, if there’s a file named pre-commit, Git will execute it every time you commit.

ggshield includes three hook-focused secret scan commands: pre-commit, pre-push, and pre-receive. In this video we focus on the two you run locally on a developer machine: pre-commit and pre-push. Pre-receive runs on the server side and usually requires admin access, so we’re skipping it here, but you can look up how your repo host supports it (like GitHub or GitLab).

The goal is simple: stop secrets from entering Git history in the first place, and prevent them from getting pushed to the shared repo.

You can build a hook manually by creating a file named pre-commit inside.git/hooks and adding:

#!/bin/sh
ggshield secret scan pre-commit "$@"

Once saved, every commit triggers a scan of what you’re about to commit. If ggshield finds a secret, it blocks the commit and shows you what it found, where it lives, what type it is, whether it looks valid, and what to do next. That remediation guidance can be customized from within your GitGuardian workspace.

Pre-push works the same way, but later in the flow. It scans right before code leaves your machine, which is especially useful for catching secrets that may have entered your local history through patches or commits you didn’t author.

The good news is you don’t have to write these hooks yourself. That’s what ggshield install is for. It doesn’t install ggshield the tool, it installs the Git hook for you, either for the current repo or for every repo on your machine.

The key options you’ll see are:

  • mode (local or global): local installs the hook only for the current repository, global installs it for all repos by updating your git configuration.
  • hook-type (pre-commit or pre-push): choose which hook you want to install (default is pre-commit).
  • force: overwrite an existing hook script.
  • append: add ggshield scanning to the end of an existing hook, which is often the safest and most practical option when a repo already has hook logic.

Copyright © 2026 OpsMatters™. All rights reserved.