Git Hooks - CodeAnt AI
Skip to main content
Use CodeAnt AI as a pre-commit or pre-push hook to automatically scan your code for secrets before every commit or push.

Manual Setup

  1. Create the hook file at .git/hooks/pre-commit: 
    #!/bin/sh
codeant secrets
  2. Make it executable: 
    chmod +x .git/hooks/pre-commit
  3. Test it: 
    git add .
git commit -m "test commit"
You can use any combination of scanning commands. For example, to only scan for secrets: 
#!/bin/sh
codeant secrets

Using Husky

  1. Install Husky: 
    npm install --save-dev husky
npx husky init
  2. Add the pre-commit hook: 
    npx husky add .husky/pre-commit "codeant secrets"
  3. Commit the hook configuration: 
    git add .husky
git commit -m "Add CodeAnt pre-commit hooks"

Using Lefthook

  1. Install Lefthook: 
    npm install --save-dev lefthook
  2. Configure lefthook.yml: 
    pre-commit:
  commands:
    secrets:
      run: codeant secrets
  3. Initialize and commit: 
    npx lefthook install
git add lefthook.yml
git commit -m "Add CodeAnt pre-commit hooks"

Customizing Hook Behavior

All scanning commands accept flags to customize behavior. See the Commands reference for the full list. Common examples for hooks: 
# Only block HIGH confidence secrets
codeant secrets --fail-on HIGH

# Exclude test files from scanning
codeant secrets --exclude '**/*.test.*,**/__tests__/**'

How It Works

When you run git commit:
  1. The pre-commit hook runs the configured scanning commands
  2. Each scanner analyzes your staged files (the --staged default)
  3. If issues are found above the --fail-on threshold:
    • The commit is blocked
    • Issue locations and details are displayed
    • Fix the issues, re-stage, and try again
  4. If no blocking issues are found:
    • The commit proceeds normally

Pre-Push Hook (Push Protection)

Use the --hook flag to enable push protection mode, which runs secrets scanning as a pre-push hook. This mode activates an interactive bypass prompt so that developers can choose to override a block with a stated reason rather than having to use --no-verify.

Setup

  1. Create the hook file at .git/hooks/pre-push: 
    #!/bin/sh
codeant secrets --hook
  2. Make it executable: 
    chmod +x .git/hooks/pre-push

How the Bypass Prompt Works

When secrets are detected during a push, the --hook mode shows an interactive prompt: 
✗ 1 secret(s) found!

  src/config.js
    Line 5: AWS Access Key (HIGH)

Do you want to bypass this check? (yes/no): yes
Reason for bypass: testing environment key, not production
If the developer confirms bypass, the push proceeds and the bypass event is recorded in CodeAnt (fire-and-forget). If declined, the push is blocked.

Bypassing Hooks

In rare emergencies, you can bypass all pre-commit or pre-push hooks: 
git commit --no-verify
git push --no-verify
Warning: Only use --no-verify in emergencies. Bypassing scans can allow secrets into your repository. Prefer the interactive bypass prompt in push protection mode (--hook) for an audited override flow.