保護DataHogo
Security Encyclopedia/Project Config Best Practices
lowCWE-1059A02:2021

No Git Security Hooks

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

How It Works

Pre-commit hooks run before every git commit. A secrets scanner hook (Gitleaks, detect-secrets) checks the staged diff for patterns matching API keys, passwords, and tokens. It catches the mistake before it enters git history — where it's permanent and visible to anyone with repo access.

Vulnerable Code
// BAD: no pre-commit hooks — secrets can be committed accidentally
// .git/hooks/ is empty or not configured
// package.json has no husky or lint-staged config
Secure Code
// GOOD: pre-commit hook that scans for secrets
// package.json
{
  "lint-staged": {
    "*": ["gitleaks protect --staged --no-banner"]
  },
  "husky": {
    "hooks": {
      "pre-commit": "lint-staged"
    }
  }
}

Real-World Example

GitHub's 2022 security research found that secret exposure incidents where developers accidentally committed API keys account for a significant portion of all credential-based breaches — and the majority could have been prevented by pre-commit secret scanning.

How to Prevent It

  • Install Husky and configure a pre-commit hook that runs Gitleaks or detect-secrets
  • Also configure your CI to run secret scanning on every push as a backstop
  • Enable GitHub's built-in secret scanning and push protection on all repositories
  • Add a .gitleaksignore file to suppress false positives without disabling the scanner

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No .env.example File

low

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

CWE-1059

No Security Linting

low

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

CWE-1076A06:2021

Inadequate .gitignore

medium

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

CWE-540A02:2021

Insecure npm Scripts

medium

npm scripts that fetch and execute remote code, or that embed secrets as shell arguments, are a supply chain and credential exposure risk.

CWE-78A06:2021