Skip to content

Fix pre-commit hook by use git-agnostic file-based checking #1918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix pre-commit hook by use git-agnostic file-based checking #1918

wants to merge 2 commits into from

Conversation

Holzhaus
Copy link

@Holzhaus Holzhaus commented Jul 18, 2025
edited
Loading

Description:

This fixes gitleaks invocations via pre-commit when there are no changed to-be-committed (i.e., via pre-commit run --files or pre-commit run --all-files). Currently, these will pass even if there would be gitleaks findings because gitleaks git checks the diff only.

When called via pre-commit framework, gitleaks does not need to git-aware because the framework already detects which files need to be checked (either the diff when a commit range or changes that are about-to-be-committed are checked, or the files passed to the --files command line argument).

Fixes #1409.

Checklist:

  • Does your PR pass tests? - unit tests are unaffected, manual testing of pre-commit hook passed
  • Have you written new tests for your changes? - not applicable
  • Have you lint your code locally prior to submission? - passed my yaml formatter

Holzhaus added 2 commits July 18, 2025 10:41
@Holzhaus
fix(pre-commit): Use git-agnostic file-based checking
11e95f3 
This fixes gitleaks invocations via pre-commit when there are no changed
to-be-committed (i.e., via `pre-commit run --files` or `pre-commit run
--all-files`). Currently, these will pass even if there would be
gitleaks findings because `gitleaks git` checks the diff only.

When called via pre-commit framework, gitleaks does not need to
git-aware because the framework already detects which files need to be
checked (either the diff when a commit range or changes that are
about-to-be-committed are checked, or the files passed to the `--files`
command line argument).

Fixes gitleaks#1409.
@Holzhaus
chore(pre-commit): Allow overriding --redact and --verbose flags
928e0f1 
We move these flags from `entry` to `args` to allow users to override
them in their `.pre-commit-config.yaml` in case they want to use
different flags.
@Holzhaus Holzhaus mentioned this pull request Jul 18, 2025
Open
@UnknownPlatypus
Copy link

Hello !

Have you check the whole discussion in #1409 ? Especially this comment.

I've hold off from opening the same PR as you because it's not working as you think it will and the whole project directory will be checked on every commit that contains more than 1 files because of the bug outlined in #1727.

@Holzhaus
Copy link
Author

Holzhaus commented Jul 18, 2025
edited
Loading

Yes, I've noticed that it's very slow. Is there an ETA for #1727? If you expect that it will take a while, maybe we should consider to merge this PR as-is.

Because it is somewhat unexpected that pre-commit run --all-files tell you that you're fine when you actually have a lot of hardcoded secrets that are just not detected due to #1409. From my perspective, I'd rather live with the performance regression than with the risk of undetected secrets.

@UnknownPlatypus
Copy link

Is there an ETA for #1727?

No Idea, I'm waiting for it to solve the pre-commit use case but I'm not a maintainer nor have enough go knowledge to help with the review.

Because it is somewhat unexpected that pre-commit run --all-files tell you that you're fine when you actually have a lot of hardcoded secrets that are just not detected due to #1409. From my perspective, I'd rather live with the performance regression than with the risk of undetected secrets.

Unfortunately, this would cause very huge latency for the most common use case of this hook ie running before a commit on changed files. For exemple on my repo, it would make the pre-commit hook completely unusable.

$ hyperfine -i "gitleaks dir --redact --verbose" "gitleaks git --pre-commit --redact --staged --verbose"

Benchmark 1: gitleaks dir --redact --verbose
  Time (mean ± σ):     30.943 s ±  0.527 s    [User: 179.861 s, System: 9.130 s]
  Range (min … max):   30.232 s … 31.886 s    10 runs
 
  Warning: Ignoring non-zero exit code.
 
Benchmark 2: gitleaks git --pre-commit --redact --staged --verbose
  Time (mean ± σ):     342.3 ms ±   3.7 ms    [User: 330.6 ms, System: 25.2 ms]
  Range (min … max):   337.6 ms … 350.6 ms    10 runs
 
Summary
  'gitleaks git --pre-commit --redact --staged --verbose' ran
   90.40 ± 1.82 times faster than 'gitleaks dir --redact --verbose'

I completely agree with you this is very unexpected that pre-commit run --all-files tell you that you're fine but slowing the hook too much will make people disable it which is not really better imo. Maybe you could try to ping a maintainer in #1750, they might have simply missed the PR.

@Holzhaus Holzhaus mentioned this pull request Jul 22, 2025
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gitleaks does not scan correct files with pre-commit run --files
2 participants
@Holzhaus @UnknownPlatypus