Module 8 · Pre-Commit Hooks for Security

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 27, 2026
2 min read
Read as

Last updated: April 29, 2026

100% Free

No signup. No paywall. No catch. One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.

See all 10 free modules →

Why this module. The cheapest security check is the one that runs on the developer’s laptop before code ever reaches CI. Pre-commit hooks catch ~60% of mistakes for ~5% of the operational cost of equivalent CI checks.

Why this module. The cheapest security check is the one that runs on the developer’s laptop before code ever reaches CI. Pre-commit hooks catch ~60% of mistakes for ~5% of the operational cost of equivalent CI checks.

What runs in pre-commit

  1. Linting + format — Ruff, Black, ESLint, Prettier. Reduces diff noise.
  2. Type checking — mypy, tsc. Catches a class of runtime bugs.
  3. Secret scanning — Gitleaks (Module 7).
  4. IaC validation — tfsec, Checkov. Module 14, Cloud track.
  5. Dependency check — npm audit, pip-audit. Lightweight; full check in CI.
  6. Commit message check — conventional commits.
  7. Spell check — codespell. Surprisingly catches bugs.

The pre-commit framework

pre-commit is the de-facto orchestrator. One config; one tool to install; runs all hooks in language-agnostic isolated environments.

# .pre-commit-config.yaml — production-grade
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v4.5.0
  hooks:
    - id: trailing-whitespace
    - id: end-of-file-fixer
    - id: check-yaml
    - id: check-added-large-files
    - id: detect-private-key

- repo: https://github.com/zricethezav/gitleaks
  rev: v8.18.0
  hooks:
    - id: gitleaks

- repo: https://github.com/charliermarsh/ruff-pre-commit
  rev: v0.1.7
  hooks:
    - id: ruff

- repo: https://github.com/aquasecurity/tfsec
  rev: v1.28.5
  hooks:
    - id: tfsec

Keeping friction low

  • Hook runtime budget: total < 10 seconds for typical commit. Slow hooks kill adoption.
  • Use --files mode (run only on changed files), not full repo.
  • For slow checks (full SAST), don’t pre-commit; CI only.
  • Allow --no-verify for emergencies; alert if abused (CI catches the failure anyway).

The team rollout

  1. Start with format + secret scan. Two weeks; everyone sees value.
  2. Add type/lint when team is fluent.
  3. Expand to IaC, license check, dependency vuln check.
  4. Document the why; train new joiners.

Defender’s checklist

  • Pre-commit installed for every developer onboarding.
  • Repo template includes .pre-commit-config.yaml.
  • CI verifies pre-commit hooks ran (fallback for laptops without).
  • Quarterly review of hook performance; trim slow ones.
🧠
Check your understanding

Module Quiz · 6 questions

Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 7
Module 7 · Secret Scanning in Code Repos
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

Shift-left + extend-right, SDLC security map, where each control lives, metrics that matter, and the 30-day…

Apr 22, 2026 · 5 min read
Academy
Module 2 · Intermediate

What each scanner class detects, tool selection for 2026, CI integration patterns, false-positive tuning, triage workflow.

Apr 22, 2026 · 5 min read
Academy
Module 4 · Advanced

Pipeline attack surface: config injection, pwn-requests, unpinned actions, OIDC trust policies, ephemeral runners, signing.

Apr 22, 2026 · 6 min read