Pre-commit hooks act on the developer machine before a commit is finalized, while pre-receive hooks enforce policy on the SCM server before a push is accepted. Used together, they create local prevention and centralized enforcement, which is the most reliable way to keep secrets out of shared repositories.
Why This Matters for Security Teams
Pre-commit and pre-receive hooks solve different parts of the same control problem: preventing secrets, unsafe code, and policy violations from entering the repository at different points in the workflow. The distinction matters because local developer controls are easy to bypass, while server-side controls are authoritative but only work after code reaches the SCM boundary. In practice, teams need both to reduce leakage from human error, automation mistakes, and rushed changes.
This is especially important for non-human identities because leaked API keys, tokens, and certificates often propagate quickly into build pipelines and shared repos. NHI Management Group’s Ultimate Guide to NHIs notes that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage. That aligns with the broader NIST Cybersecurity Framework 2.0 view that detection and prevention must be built into workflows rather than left to after-the-fact response. In practice, many security teams encounter hook failures only after a credential has already been committed, pushed, and copied into downstream systems, rather than through intentional control design.
How It Works in Practice
A pre-commit hook runs on the developer workstation before the commit object is created. That makes it best suited for fast, local checks such as secret scanning, filename hygiene, commit message rules, or blocking obvious policy violations with immediate feedback. Because it executes before the commit is finalized, it can stop accidental leakage early and cheaply, but only if the developer environment is configured correctly and the hook has not been disabled.
A pre-receive hook runs on the SCM server when a push arrives, before the remote repository accepts the update. That gives it enforcement authority across the whole organisation. It can validate all incoming refs, inspect commit content centrally, and reject changes that violate policy even if the developer skipped local hooks. This is why pre-receive checks are the stronger control for mandatory enforcement of secret scanning, branch policy, and protected asset rules.
Used together, the two hooks create layered prevention:
- Pre-commit reduces accidental exposure at the source.
- Pre-receive blocks bypass attempts and inconsistent local setups.
- Both can be paired with CI checks for a third line of defense.
- Both should be complemented by secret rotation, because blocking a leak does not revoke an already exposed credential.
For teams managing NHIs, the real objective is not just stopping a bad commit, but reducing the chance that long-lived credentials reach source control at all. That is why the controls discussed in Ultimate Guide to NHIs matter operationally: repository hooks must sit inside a broader NHI governance program that also covers rotation, visibility, and offboarding. These controls tend to break down in distributed teams that allow unmanaged local tooling, because developers can bypass pre-commit hooks and push directly unless server-side enforcement is mandatory.
Common Variations and Edge Cases
Tighter hook enforcement often increases developer friction, so organisations have to balance speed against assurance. That tradeoff is real: aggressive local blocking can slow iteration, while server-side rejection can frustrate teams if policies are too noisy or poorly tuned. Current guidance suggests using pre-commit for rapid feedback and pre-receive for authoritative policy enforcement, but there is no universal standard for exactly which checks belong at each stage.
Several edge cases matter in practice. Hook logic can be bypassed with --no-verify on some workflows, which is why local hooks should never be treated as the only control. Pre-receive hooks may also miss risk if repositories are mirrored, forked, or imported through alternate paths outside the normal push process. Large binary files, generated artifacts, and monorepo histories can further complicate scanning performance and false positive rates.
The strongest pattern is to treat hooks as one layer in a broader control stack that includes CI scanning, protected branches, and NHI rotation discipline. That approach is aligned with modern identity guidance, but it works best when teams can enforce consistent developer tooling and central repository policy. It becomes weaker in highly decentralized environments where third-party automation, unmanaged laptops, or multiple SCM platforms create inconsistent enforcement points.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Secret leakage prevention depends on detecting exposed NHI credentials early. |
| NIST CSF 2.0 | PR.AC-4 | Repository hook enforcement supports controlled access and policy-based prevention. |
| NIST AI RMF | AI risk governance is relevant where automated tooling changes code and secrets handling. |
Apply centralized repository policy controls to reject unsafe pushes and protect code integrity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
