Skip to Content
CI/CDPre-commit Hooks

Pre-commit Hooks

Scan your code for vulnerabilities before every commit using pre-commit hooks.

Setup

1. Install pre-commit

pip install pre-commit

2. Create Configuration

Add .pre-commit-config.yaml to your repository:

repos:
  - repo: local
    hooks:
      - id: inkog
        name: Inkog Security Scan
        entry: inkog -severity high
        language: system
        pass_filenames: false
        always_run: true

3. Install the Hook

pre-commit install

Configuration Options

Scan Changed Files Only

For faster commits, scan only staged files:

repos:
  - repo: local
    hooks:
      - id: inkog
        name: Inkog Security Scan
        entry: bash -c 'inkog -severity high $(git diff --cached --name-only --diff-filter=ACM | grep -E "\.(py|js|ts|go)$" | tr "\n" " ")'
        language: system
        pass_filenames: false

Severity Levels

Adjust the severity threshold:

# Block on critical only (fastest, least strict)
entry: inkog -severity critical
 
# Block on high and above (recommended)
entry: inkog -severity high
 
# Block on all findings (strictest)
entry: inkog -severity low

JSON Output for Parsing

repos:
  - repo: local
    hooks:
      - id: inkog
        name: Inkog Security Scan
        entry: bash -c 'inkog -output json -severity high . && echo "Security scan passed"'
        language: system
        pass_filenames: false

Manual Usage

Run the hook manually without committing:

pre-commit run inkog --all-files

Run all hooks:

pre-commit run --all-files

Skipping Hooks

Skip the security scan for a specific commit (use sparingly):

git commit --no-verify -m "emergency fix"
# or
SKIP=inkog git commit -m "skip security scan"

Team Setup

Share the configuration with your team:

  1. Commit .pre-commit-config.yaml to your repository
  2. Team members run pre-commit install after cloning
  3. Optionally, add to your README.md:
## Development Setup
 
Install pre-commit hooks:
 
\`\`\`bash
pip install pre-commit
pre-commit install
\`\`\`

CI Integration

Run pre-commit hooks in CI to catch missed local scans:

GitHub Actions:

- uses: pre-commit/action@v3.0.1

GitLab CI:

pre-commit:
  stage: test
  image: python:3.11
  script:
    - pip install pre-commit
    - pre-commit run --all-files

Troubleshooting

Hook Not Running

Ensure Inkog is installed and in your PATH:

which inkog
# Should output: /path/to/inkog

Slow Commits

If scans are too slow:

  1. Use -severity critical for pre-commit, run full scans in CI
  2. Scan only changed files (see configuration above)
  3. Consider running full scans as a separate pre-push hook

False Positives

To skip specific files, create an .inkogignore file (coming soon) or use the severity flag to reduce noise.

Last updated on
GitLab CIOverview