Using AI in Git Hooks for Pre-Commit Checks

Git hooks are shell scripts that Git calls at specific points in your workflow — before a commit is recorded, after a push, before a rebase. The pre-commit hook is the most useful of the bunch: it runs every time a developer types git commit, and if it exits with a non-zero status the commit is aborted. That makes it the ideal place to enforce standards automatically.

Traditional pre-commit hooks run linters and formatters. That is valuable, but it is mechanical — a linter can tell you that a variable is unused, but it cannot tell you that a function is misleading, a secret has been encoded in base64, or that a commit message says nothing useful. Adding AI to this layer gives you intelligent, context-aware checks that go beyond pattern matching.

Git Hook Basics

Hooks live in the .git/hooks/ directory of every repository. Activate one by removing the .sample extension and making it executable. A minimal pre-commit hook:

#!/bin/bash
# .git/hooks/pre-commit
npm run lint && npm test
exit $?

If either command fails, the exit code will be non-zero and the commit will not proceed. The limitation: .git/hooks/ is not tracked by version control, so every developer has to set it up manually. That is where the pre-commit framework comes in.

The pre-commit Framework

pre-commit is the standard tool for managing Git hooks across a team. It is language-agnostic, shareable via version control, and handles installing hook dependencies in isolated environments.

pip install pre-commit
pre-commit install

Define your hooks in .pre-commit-config.yaml at the root of the repository:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-added-large-files

  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.2
    hooks:
      - id: gitleaks

This file goes into version control. Every developer who runs pre-commit install after cloning gets the same hooks automatically.

AI-Powered Pre-Commit Use Cases

Secret and Credential Detection

Gitleaks uses pattern matching to catch API keys, tokens, and passwords before they are committed. AI-enhanced detection goes further — flagging secrets that have been encoded, split across strings, or obfuscated in ways that patterns miss:

- repo: https://github.com/gitleaks/gitleaks
  rev: v8.18.2
  hooks:
    - id: gitleaks
      args: ['--verbose']

When a developer commits a file containing a high-entropy string matching a known secret pattern, Gitleaks blocks the commit and shows exactly which line triggered the detection.

Commit Message Quality

A lightweight hook can enforce minimum message standards without calling an external API:

# check-commit-msg.py
import sys

msg = open(sys.argv[1]).read().strip()
vague = {'fix', 'update', 'changes', 'wip', 'misc'}

if len(msg) < 20:
    print("Error: Commit message too short. Aim for at least 20 characters.")
    sys.exit(1)

if msg.lower().rstrip(".") in vague:
    print(f"Error: Commit message {msg} is too vague.")
    sys.exit(1)

sys.exit(0)

Code Review in CI, Not Locally

Calling an LLM API on every local commit is slow and expensive — developers will bypass hooks that take more than five seconds. The right architecture: fast, local checks in the pre-commit hook, and heavier AI-powered review in CI. Tools like CodeRabbit and Sourcery integrate into pull request workflows, posting AI review comments asynchronously without blocking local commits.

The golden rule: if pre-commit hooks take more than five seconds, they will be bypassed.

Husky for Node.js Projects

For JavaScript or TypeScript projects, Husky is the most widely used alternative to the pre-commit framework:

npm install --save-dev husky
npx husky init

Edit the generated .husky/pre-commit file:

#!/bin/sh
npm run lint
npm run typecheck

Husky hooks are tracked under .husky/ and activated automatically when a developer runs npm install.

AI-Powered Tools for the Pipeline

  • Trunk — AI-powered code quality platform consolidating linters, formatters, and security scanners into a single pre-commit workflow
  • Semgrep — fast static analysis with AI-assisted rule writing; teams write rules in plain English and Semgrep generates the pattern
  • CodeClimate — code quality and maintainability platform for CI/CD gates, analysing coverage, complexity, and duplication

None require calling an LLM in the critical path of a local commit.

Balancing Thoroughness and Speed

  • Aim for under five seconds for local hooks
  • Move heavy analysis to CI
  • Let developers opt into heavier local checks via environment variable: 
#!/bin/bash
npm run lint

if [ "$FULL_LOCAL_CHECKS" = "true" ]; then
  npm test
  npx semgrep --config=auto .
fi

exit 0

Sharing Hooks Across the Team

The .pre-commit-config.yaml file belongs in version control. Updates to hooks are distributed through normal code review. For Node.js teams using Husky, the .husky/ directory and prepare script in package.json serve the same role — npm install activates hooks automatically.

Deploying with Confidence Using DeployHQ

Pre-commit hooks are your first line of defence. DeployHQ is your second. When code has already passed local hooks and CI checks before reaching a deployment trigger, you deploy knowing the build has been validated at every stage. DeployHQ supports branch-based deployments and environment-specific pipelines — configure staging to deploy on every merge to main and production to deploy only from tagged releases, ensuring only thoroughly checked code reaches your servers.