Home/Git Hook Secret Scanner

Git Hook Secret Scanner: How to Block Credentials Before Commit

What Is a Pre-Commit Secret Scanner?

A pre-commit secret scanner is a git hook that runs automatically before every commit, scanning staged files for hardcoded API keys, tokens, and credentials. The hook either warns the developer or blocks the commit entirely depending on the severity of detected secrets and the configured enforcement mode.

Git hooks are scripts stored in .git/hooks/ that execute at specific points in the git workflow. The pre-commit hook fires after git commit is invoked but before the commit object is created. A pre-commit secret scanner uses this hook point to intercept commits that contain hardcoded credentials.

Vibe Owl writes shell scripts to .git/hooks/pre-commit and .git/hooks/pre-push that invoke the extension's scanner against staged files. The scanner applies the same detection rules used for live scanning: OpenAI keys at 95% confidence, AWS keys at 90%, GitHub tokens at 95%, private key blocks at 100%, and generic secret assignments at 70%.

How Does Vibe Owl Install Git Hooks?

Vibe Owl installs git hooks through the Vibe Owl: Install Git Safety Hooks command in the VS Code command palette. The command writes hook scripts to .git/hooks/ and supports install, uninstall, and toggle operations for managing hook lifecycle.

The installation process creates two hook scripts: a pre-commit hook that scans staged files, and a pre-push hook that runs a broader repository scan. Both hooks are standard shell scripts that execute within the developer's terminal environment. The hooks work with any git client that respects the .git/hooks/ directory.

The Vibe Owl: Uninstall Git Safety Hooks command removes both hooks cleanly. The Vibe Owl: Toggle Git Safety command enables or disables hook enforcement without removing the scripts. The sidebar displays current hook installation status and the active enforcement mode.

What Is the Difference Between Warn Mode and Block Mode?

Warn mode allows the commit to proceed while displaying a visible warning about detected secrets. Block mode aborts the commit when high or critical findings exist, requiring the developer to fix or suppress findings before the commit can succeed.

Warn mode is appropriate for exploratory development where hardcoded values might be intentional during prototyping. The warning ensures the developer is aware of the finding without interrupting the commit flow. Block mode is appropriate for production-bound branches where hardcoded credentials should never be committed.

The enforcement mode is configurable through vibeOwl.gitSafety.mode. Vibe Owl's policy bundles apply preset configurations: Prototype Fast uses warn mode, Startup Balanced uses block mode for git hooks, and Regulated Strict uses block mode across all modules.

How Does the Staged Diff Risk Preview Complement Git Hooks?

The staged diff risk preview analyzes changes about to be committed by running git diff --cached against all detector rules, reporting a risk level with specific blocking reasons. The preview lets developers assess risk before committing rather than discovering issues during the hook execution.

The Vibe Owl: Preview Staged Diff Risk command scans added lines in the staged diff. The preview reads up to 2000 diff lines (configurable) and reports findings with risk levels: low, medium, high, or critical. High and critical findings include specific blocking reasons that explain why the commit would be blocked.

The staged diff preview is a proactive check. The developer runs it before committing to understand what the hook will find. Combined with live secret scanning in VS Code, the staged diff preview, and git hooks, Vibe Owl provides three independent checkpoints before code reaches a commit.

How Do Pre-Push Hooks Add a Second Layer of Protection?

Pre-push hooks fire before git push sends commits to a remote repository, providing a broader scan than pre-commit hooks. The pre-push hook catches secrets that entered through merge commits, cherry picks, or amended commits that bypassed the pre-commit check.

The pre-push hook is enabled by default through vibeOwl.gitSafety.enablePrePush. The hook scans the full set of commits being pushed rather than just staged files, covering scenarios where secrets enter the repository through operations other than standard commits.

Preventing secrets from reaching git remotes requires both pre-commit and pre-push hooks working together. The pre-commit hook is the first line of defense. The pre-push hook is the last checkpoint before code becomes visible to collaborators, CI systems, and potential attackers.

How Does Vibe Owl Compare to Standalone Pre-Commit Frameworks?

Vibe Owl provides git hook management within VS Code with one-click install, inline results, and integration with the preflight workflow. Standalone frameworks like pre-commit or Husky require terminal configuration, separate tool installation, and do not integrate with editor diagnostics.

The pre-commit framework requires a .pre-commit-config.yaml file and installation of external plugins for secret detection. Husky requires npm package installation and configuration through package.json lifecycle scripts. Both approaches work but require setup steps outside the editor.

Vibe Owl's hooks install with a single command palette action and integrate directly with the VS Code security extension's broader security ecosystem: live scanning feeds into git hooks, git hooks feed into preflight checks, and preflight results contribute to the workspace health score.

Marcel Iseli

Marcel Iseli

Founder of Vibe Owl · Software Developer

LinkedIn ↗

Marcel Iseli is a software developer and the creator of Vibe Owl. He built the extension after exposing his own API keys during an early vibe coding session and decided the tooling gap was worth fixing.

Ship safer code today

Vibe Owl scans secrets, flags risky patterns, and runs preflight checks — all locally inside your editor.

Install Vibe OwlInstall via Open VSX