🔐 DevSecOps Hooks

Ministry of Justice pre-commit hooks for scanning hardcoded secrets and credentials.

---

📋 Overview

A lightweight, Docker-based security scanner that integrates seamlessly with Git workflows to prevent hardcoded secrets from being committed to your repository. Built for the Ministry of Justice, this tool leverages following CLI commands to detect sensitive information such as API keys, passwords, tokens, and other credentials.

• GitLeaks

🧩 Workflow

✨ Features

• 🛡️ Automated Secret Detection - Scans code for hardcoded secrets using GitLeaks
• 🐳 Docker-Based - Runs in an isolated Alpine Linux container
• 🔗 Pre-Commit Integration - Works seamlessly with the pre-commit framework
• ⚡ Fast & Lightweight - Minimal footprint with optimised scanning
• 🎯 Fail-Fast - Stops commits immediately when secrets are detected
• 🔍 Verbose Logging - Detailed output for easy debugging
• 🏷️ Version Controlled - Pinned GitLeaks version with checksum validation
• ✅ Conventional Commits - Validates commit messages against conventional commits standards

🚀 Getting Started

Development prerequisites

• Git CLI
• Docker
• pre-commit or prek

Installation

1. Add

   • Filename: .pre-commit-config.yaml
   • Location: Root of your project

   repos:
     - repo: https://github.com/ministryofjustice/devsecops-hooks
       rev: v1.6.0
       hooks:
         - id: baseline

2. Install:

   Ensure prek or pre-commit is installed globally

3. Activate

   Execute the following command in the repository directory

   prek install

4. Test

   prek run

   prek run baseline

🔧 Configuration

Configuration file

One can add GitLeaks configuration file to their repository root under ./.gitleaks.toml file name. GitLeaks offers a configuration format you can follow to write your own secret detection rules.

Ignore file

One can add GitLeaks fingerprint to the ./.gitleaksignore file, if it is a false positive. To add one to the ignore file simply add the Fingerprint presented to the ignore file.

Just like the configuration file, please add the ignore file to the root of your repository.

f3a930047bf1373b540608f54fcd7619b57801c8:README.md:generic-api-key:161

Environment variables

One can customise the scanner behaviour by setting environment variables in the hook configuration.

Scan all files (not just staged)

By default, STAGE_MODE is set to true, which scans only staged files. To scan all files in the repository regardless of staging status, set STAGE_MODE to false:

repos:
  - repo: https://github.com/ministryofjustice/devsecops-hooks
    rev: v1.6.0
    hooks:
      - id: baseline
        env:
          STAGE_MODE: "false"

Hook configuration

The hook is configured in .pre-commit-hooks.yaml with the following settings:

• ID: baseline
• Language: docker_image
• Image: ghcr.io/ministryofjustice/devsecops-hooks:v1.6.0
• Excludes: Hidden files and directories (regex: ^\\..*|/\\..*)
• Pass Filenames: false - Hook runs on the entire repository, not individual files
• Always Run: true - Executes on every invocation regardless of file changes
• Verbose: true - Provides detailed output for debugging
• Fail Fast: false - Allows other hooks to run even if this hook fails

Docker build arguments

The Docker image supports the following build arguments:

Argument	Default	Description
VERSION	1.6.0	Scanner version number
GIT_LEAKS_VERSION	8.30.0	GitLeaks version to install
GIT_LEAKS_SHA512	(specified)	SHA-512 checksum for verification
GITLEAKS_CONFIGURATION_FILE	./.gitleaks.toml	GitLeaks configuration file path
GITLEAKS_IGNORE_FILE	./.gitleaksignore	GitLeaks ignore file path
GIT_MODE	true	Enable Git mode for scanning
STAGE_MODE	true	Scan only staged files in Git mode
WORKDIR	/app	Application root directory
TERM	xterm-256color	Terminal type for colour output
CLICOLOR_FORCE	1	Force colour output in pipelines

🏗️ Architecture

Components

1. gitleaks.sh - Downloads, verifies, and installs GitLeaks binary
2. git.sh - Installs Git version control system in Alpine Linux
3. scan.sh - Executes the security scan using GitLeaks CLI
4. Dockerfile - Multi-stage build for optimised container image
5. .pre-commit-hooks.yaml - Hook configuration for pre-commit framework

Scripts documentation

gitleaks.sh

Downloads and installs the GitLeaks binary with SHA-512 checksum verification.

Environment variables:

• GIT_LEAKS_VERSION - Version to install (required)
• GIT_LEAKS_SHA512 - SHA-512 checksum for verification (required)

Process:

1. Validates environment variables
2. Downloads GitLeaks from GitHub releases
3. Verifies checksum integrity
4. Extracts to /usr/local/bin
5. Validates installation

Exit codes:

• 0 - Installation successful
• 1 - Missing dependencies or checksum mismatch

git.sh

Installs Git using Alpine Package Keeper (apk).

Dependencies:

• Alpine Linux package manager (apk)

Process:

1. Installs Git with apk add --no-cache git

scan.sh

Executes GitLeaks security scanning with configurable modes.

Environment variables:

• VERSION - Scanner version for banner display
• GITLEAKS_CONFIGURATION_FILE - Custom config path (optional)
• GITLEAKS_IGNORE_FILE - Ignore file path (optional)
• GIT_MODE - Enable Git mode (default: true)
• STAGE_MODE - Scan staged files only (default: true)

Modes:

• Git mode (default): Pre-commit scan using Git history
• Non-Git mode: Direct filesystem scan with JSON output

Exit codes:

• 0 - No secrets detected
• 1 - Secrets found or execution error

Docker image

Built using a multi-stage Alpine Linux approach:

• Build stage: Downloads and verifies binary
• Production stage: Minimal runtime image with scanner scripts
• User: Runs as non-root scanner user for security

📦 Usage

Automatic (pre-commit hook)

Once installed, the hook runs automatically:

git add .
git commit -S -m "Your commit message"
# Hook runs automatically and blocks commit if secrets detected

Manual execution

Run the scanner manually on specific files:

pre-commit run baseline --files path/to/file.py

Run on all files in the repository:

pre-commit run baseline --all-files

Docker container

You can also run the scanner directly using Docker:

docker run --rm -v $(pwd):/src ghcr.io/ministryofjustice/devsecops-hooks:v1.6.0

🎯 Example output

✅ Success (no secrets detected)

⚡️ Ministry of Justice - Scanner 1.6.0⚡️

○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

5:13PM INF 0 commits scanned.
5:13PM INF scanned ~325 bytes (325 bytes) in 305ms
5:13PM INF no leaks found
✅ No secrets have been detected.

❌ Failure (secrets detected)

⚡️ MoJ scanner 1.6.0⚡️

○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

Finding:     export API_KEY=""
Secret:      fake-123
RuleID:      generic-api-key
Entropy:     4.5
File:        config/settings.py
Line:        42
Commit:      a1b2c3d4

5:13PM INF 0 commits scanned.
5:13PM INF scanned ~325 bytes (325 bytes) in 305ms
5:13PM WRN leaks found: 1

🛠️ Local development

Building the Docker image

docker build -t devsecops-hooks:local .

Testing locally

docker run --rm -v $(pwd):/src devsecops-hooks:local

📦 Docker

The Dockerfile pulls docker.io/alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 which when analysed using scout presented the following findings on 17/02/2026 15:21:52 UTC.

docker scout cves docker.io/alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659

Field	Value
Target	alpine:3.23.3
Digest	1529d13528ed
Platform	linux/arm64/v8
Vulnerabilities	0C 0H 1M 0L
Size	4.2 MB
Packages	20

📝 Environment variables

Build arguments

• VERSION - Scanner version number (default: 1.6.0)
• GIT_LEAKS_VERSION - GitLeaks version to install (default: 8.30.0)
• GIT_LEAKS_SHA512 - SHA-512 checksum for downloaded archive
• GITLEAKS_CONFIGURATION_FILE - Custom configuration file path (default: ./.gitleaks.toml)
• GITLEAKS_IGNORE_FILE - Ignore file path (default: ./.gitleaksignore)
• GIT_MODE - Enable Git-based scanning (default: true)
• STAGE_MODE - Scan only staged files (default: true)
• WORKDIR - Application root directory (default: /app)

Runtime environment variables

• VERSION - Scanner version displayed in banner output
• GIT_LEAKS_VERSION - GitLeaks binary version in use
• GITLEAKS_CONFIGURATION_FILE - Path to active configuration file
• GITLEAKS_IGNORE_FILE - Path to active ignore file
• GIT_MODE - Current scanning mode (true for Git mode, false for filesystem)
• STAGE_MODE - Whether to scan staged files only (true/false)
• WORKDIR - Working directory for scanner execution
• TERM - Terminal type for colour output (default: xterm-256color)
• CLICOLOR_FORCE - Force colour output in CI/CD pipelines (default: 1)

📄 Licence

This project is licensed under the MIT Licence - see the LICENSE file for details.

Copyright © 2026 Crown Copyright (Ministry of Justice)

🔗 Links

• GitLeaks Documentation
• Pre-Commit Framework
• Ministry of Justice GitHub

🆘 Support

If you encounter any issues or have questions:

1. Review existing issues in the repository
2. Create a new issue with detailed information

⚠️ Important notes

• Always review detected secrets before committing
• Update the rev field in .pre-commit-config.yaml to the latest version
• Hidden files and directories are excluded by default
• The hook is configured with fail_fast: false to allow other hooks to run even if secrets are detected
• The scanner runs on the entire repository (pass_filenames: false) rather than individual staged files
• Colour output is enabled for better visibility in CI/CD pipelines

---

Made with ❤️ by the Ministry of Justice UK