HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

install git pre-commit-hook

The install git pre-commit-hook is a simple way to setup a git pre commit hook that will run a vault-radar scan on any commit.

To manually install and invoke vault-radar as a pre-commit step adding the following command to an existing pre-commit script will result in vault-radar performing a scan prior to any commit.

vault-radar scan git pre-commit

Note: The suggested approach is to use the installation command. Using the installation command should add the command to the existing pre-commit script leaving existing configuration untouched.

Authentication

This command requires a valid vault-radar license. How to configure a license. Please reach out to your customer support contact for help generating a license.

Usage

Run the following from within a repository you want want the pre commit hook installed on.

vault-radar install git pre-commit-hook

When making your next commit, the pre commit hook that was just installed is configured to run a scan of the diff. If the scan detects risks with a severity at or above the configured threshold, the commit will be rejected.

Remediation Options

Here are some options to handle identified risks that should be allowed and are preventing a developer from performing a commit.

Configuration

The scan that happens during the pre-commit hook is setup to look for configuration in one of two places.

  1. Root of a repository managed by git: ./.hashicorp/vault-radar/config.json
  2. Or in your user HOME directory to apply the configuration globally: ~/.hashicorp/vault-radar/config.json

Note: The local verson of the configuration will have precedence over the global version if defined in both locations.

Sample config.json

{
    "fail_severity": "high"
}
  • fail_severity - This defines a fail threshold for vault-radar. When a risk is identified that has a severity at or beyond the configured fail-severity, vault-radar will consider the scan a failure. See here for more information on severity and the different levels.

Note: If this configuration value is not defined the default behavior is to not enforce any severity. As a result all risks identified will be allowed.