Skip to main content

Pre-commit Check

This guide will assist you in setting up a check to prevent secrets from being accidentally committed to a git repository.

Prerequisites

  1. Have a Vault++ account.
  2. Have a git repository.

Introduction

A pre-commit hook is a Git feature that allows developers to run checks, such as code linting and formatting, before committing code. The Vault++ pre-commit hook prevents secrets from being accidentally committed by rejecting any commits that contain secrets. It can be added to any repository, whether or not existing pre-commit hooks are already in place.

Vault++ detects secrets by understanding the context of your code, extracting potential secrets, and verifying them against its API to eliminate false positives. It also calculates hashes of these potential secrets (called secret signatures) and securely checks them against known secret signatures in Vault++. This enables Vault++ to detect any kind of secret—whether it's an internal API key, password, or other—without exception.

1. Choose a git hook manager

If you're already using a Git hook manager like Husky, Lefthook, or Simple Git Hooks, you can skip ahead to Step 2.

Creating and using custom Git hooks is straightforward, as each repository includes a .git/hooks folder with sample scripts that can be customized. However, the challenge is that these hooks are stored locally and are not shared with others by default. Since the .git folder is ignored by Git, developers must find a way to synchronize these hooks across teams. Git hook managers make this process much easier by managing and ensuring consistency for all users of the repository.

There are several options available, and we recommend the following popular choices:

  1. Husky, which is the most widely used and works seamlessly with Node applications.
  2. Lefthook, which supports package managers for a variety of languages, including Python, Go, NPM, and more.

2. Install the vpp hook

  1. Open the .husky/pre-commit file in your repository
  2. Add the following command on a new line: 
    vpp scan staged
  3. Save the file

3. Add a vpp scan config file

Create a new file called vpp.scan.jsonc and use the following example content:

vpp.scan.jsonc
{
  "$schema": "https://vaultplusplus.com/scan-schema.json",
  "organization": "<your org slug>", // change to your organization slug
  
  // Whitelisted Signatures
  "whitelist": []
}

4. Verify setup

Follow these steps to verify that the hook is correctly set up:

  1. Open a terminal and navigate to your repository.
  2. Unlock Vault++ by executing: 
    vpp unlock
    tip

    If you use Git UI, make sure to run the vpp unlock command in the root folder of your repository.

  3. Make some changes and commit them using either git commit in the terminal or your preferred Git UI tool.

That's it! 🎉 Vault++ is now actively safeguarding your repository from unintentional secret leaks during commits.