Hooks are scripts that run at different steps during the commit process. They are completely customizable and will trigger events at key points during the development life cycle. Some examples of hooks are:
Commit hooks are categorized into two buckets: Client-Side Hooks and Server-Side Hooks. Client-Side hooks reside on the developer’s local machine, while server-side hooks reside on a central server. Within each hook category, a hook can be called before, during, or after a commit.
Git hooks are split into two main categories based on where they run: client-side and server-side. Understanding the difference is essential for deciding where to enforce a given rule or automate a specific task.
Client-side hooks run locally on a developer's machine and are triggered by actions like committing, merging, or pushing. They are ideal for enforcing code formatting, running linters, checking commit message structure, or catching issues before they ever leave the local environment. Because they live in the .git/hooks directory and are not cloned with the repository, each developer is responsible for setting them up individually.
Server-side hooks run on the remote repository and are triggered when the server receives a push. Unlike client-side hooks, they cannot be bypassed by individual developers, making them the more reliable enforcement layer for team-wide policies. The pre-receive hook can reject pushes that do not meet defined standards, while the post-receive hook is commonly used for notifications, triggering CI pipelines, or updating external systems after a successful push.
The pre-commit hook runs on the git commit command before Git checks for a commit message or generates a commit object. This hook can be used to run any tests on the snapshot that is about to be committed
Examples:
The prepare-commit-msg hook runs just after the pre-commit hook (assuming that the commit has not aborted) to populate the commit message with text. This hook can be used as a template to prepare the commit message that gets printed with the commit. It will save time by automatically formatting and pulling certain commit information, like the branch name, issue, or developer name.
Examples:
The commit-msg hook runs after the prepare-commit-msg hook and after the user completes the commit message. Where the prepare-commit-msg hook prepares the template for the message, this commit-msg hook checks that the message has been properly formatted. The user could have changed the commit message from the prepare-commit-msg hook. This hook can verify and warn the user of the message error or can abort the commit entirely.
Examples:
The post-commit hook runs immediately after the commit-msg hook successfully runs. This hook will not change the status of the overall commit. Instead, this hook is used to notify any necessary people or processes.
Examples:
The pre-rebase hook runs before the rebase takes place. This hook can be used to check that the rebase will not break the git history since a rebase could be dangerous. Usually, the logic in this script is a bit more complex than other scripts. You can view a default pre-rebase hook with the sample script by typing: cat .git/hooks/pre-rebase.sample.
Examples:
The post-checkout hook runs after a successful call from git checkout. This hook can be used to set up the development environment after switching branches.
Examples:
The pre-receive hook runs anytime a client pushes a commit using git push.
Examples:
The post-receive hook runs after a push commit runs successfully. This hook is used to send notifications on a successful git push. This hook is similar to the client-side hook post-commit but would be a more logical place to perform notifications as this hook resides on a central server.
Examples:
With the freedom of customizing git hooks to do virtually anything within your commit process, you can write scripts that will provide extra layers of security in your Secure Software Development Lifecycle. You can visit our Commit Hooks Lesson where we step through creating our own hook to search for secrets left in code. Want to learn about Threat Modeling? Check out this article for a practical introduction to the topic, which includes a free threat modeling template!
Understanding what are git hooks used for in practice is where the real value becomes clear. Whether you are enforcing commit standards, blocking bad code, or triggering automated pipelines, git hooks give development teams a flexible and powerful layer of control at every stage of the workflow.
The pre-commit hook is one of the most widely used examples in day-to-day development. If you are learning how to use a git pre commit hook, the most common starting point is running a linter or code formatter automatically before a commit is finalized. This catches syntax errors, enforces style guides, and prevents messy code from ever entering the repository history. A simple git hooks example here would be a shell script that runs ESLint on staged JavaScript files and aborts the commit if any violations are found.
Another practical answer to what is a git hook comes from the commit-msg hook, which validates the format of a commit message before the commit is recorded. Teams that follow a convention like Conventional Commits use this hook to reject messages that do not include a required type prefix such as feat, fix, or chore. This keeps commit history readable and makes automated changelog generation possible.
On the server side, understanding what are hooks in git extends beyond local enforcement. The pre-receive hook runs on the remote server every time a developer pushes and can be used to reject pushes that fail security scans, include exposed credentials, or target protected branches without the right permissions. Unlike client-side hooks, these cannot be bypassed, making them the right place to enforce non-negotiable team or security policies.
The post-receive hook is commonly used for triggering CI pipelines, sending Slack notifications, or deploying to staging environments after a successful push. If you are asking what are git hooks in the context of DevSecOps workflows, this hook is where automation connects the version control layer to the broader delivery pipeline.
Note: This article was adapted from the Commit Hooks lesson in our training platform. Want to learn more about our secure coding and application security training? Contact us to schedule a conversation.