AI coding guardrails: pre-commit/pre-push hooks with install + code

ai-prehooks-implementation.md

AI Coding Guardrails: Pre-Commit + Pre-Push (Copy/Paste Setup)

Use this when AI is generating code and you want enforced checks before code reaches remote.

1) Install dependencies

macOS (Homebrew)

brew install trivy semgrep trufflehog
npm i -D husky
npm run prepare

Linux (example)

# install trivy (https://trivy.dev/latest/getting-started/installation/)
# install semgrep (https://semgrep.dev/docs/getting-started)
# install trufflehog (https://github.com/trufflesecurity/trufflehog)
npm i -D husky
npm run prepare

2) package.json scripts

Add these scripts at repo root:

{
  "scripts": {
    "test:gateway:api": "npm --prefix gateway run test -- test/routes.test.ts test/project-routes.test.ts test/headless-routes.test.ts test/sdk-routes-mcp.test.ts test/index.test.ts test/events.test.ts",
    "coverage:check": "npm --prefix gateway run coverage:check && npm --prefix browser run coverage:check",
    "prepare": "husky"
  }
}

3) .husky/pre-commit

#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(git rev-parse --show-toplevel)"
cd "$ROOT_DIR"

echo "[hook:pre-commit] secret scan (trufflehog)"
bash scripts/security/run-trufflehog.sh --staged

echo "[hook:pre-commit] SAST scan (semgrep/trivy)"
bash scripts/security/run-sast.sh --staged

echo "[hook:pre-commit] gateway API endpoint tests"
npm run test:gateway:api

4) .husky/pre-push

#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(git rev-parse --show-toplevel)"
cd "$ROOT_DIR"

echo "[hook:pre-push] full secret scan"
bash scripts/security/run-trufflehog.sh --all

echo "[hook:pre-push] full SAST scan"
bash scripts/security/run-sast.sh --all

echo "[hook:pre-push] coverage gate"
npm run coverage:check

5) scripts/security/run-sast.sh (auto Trivy/Semgrep)

#!/usr/bin/env bash
set -euo pipefail

MODE="${1:---staged}"
SAST_ENGINE="${SAST_ENGINE:-auto}"

run_trivy() {
  local target="$1"
  trivy fs \
    --quiet \
    --exit-code 1 \
    --severity HIGH,CRITICAL \
    --scanners vuln,misconfig,secret \
    "$target"
}

run_semgrep() {
  local target="$1"
  semgrep scan --config "${SEMGREP_CONFIG:-p/default}" --error --metrics=off "$target"
}

# In production, pass snapshot dirs for staged/all modes.
# This minimal template focuses on engine selection + fail behavior.
TARGET_DIR="."

case "$SAST_ENGINE" in
  trivy)   run_trivy "$TARGET_DIR" ;;
  semgrep) run_semgrep "$TARGET_DIR" ;;
  auto)
    if command -v trivy >/dev/null 2>&1; then
      run_trivy "$TARGET_DIR"
    elif command -v semgrep >/dev/null 2>&1; then
      run_semgrep "$TARGET_DIR"
    else
      echo "Neither trivy nor semgrep is installed." >&2
      exit 2
    fi
    ;;
  *)
    echo "Invalid SAST_ENGINE: $SAST_ENGINE" >&2
    exit 2
    ;;
esac

6) scripts/security/run-trufflehog.sh (minimal)

#!/usr/bin/env bash
set -euo pipefail

MODE="${1:---staged}"
ROOT_DIR="$(git rev-parse --show-toplevel)"
cd "$ROOT_DIR"

if [[ "$MODE" == "--all" ]]; then
  # scan tracked HEAD snapshot
  tmp="$(mktemp -d)"
  trap 'rm -rf "$tmp"' EXIT
  git archive --format=tar HEAD | tar -xf - -C "$tmp"
  trufflehog filesystem "$tmp" --fail
else
  # scan staged snapshot
  tmp="$(mktemp -d)"
  trap 'rm -rf "$tmp"' EXIT
  while IFS= read -r -d '' rel; do
    mkdir -p "$tmp/$(dirname "$rel")"
    git show ":$rel" > "$tmp/$rel"
  done < <(git diff --cached --name-only --diff-filter=ACMR -z)
  trufflehog filesystem "$tmp" --fail
fi

7) Make hooks executable

chmod +x .husky/pre-commit .husky/pre-push
chmod +x scripts/security/run-sast.sh scripts/security/run-trufflehog.sh

8) Verify locally

bash .husky/pre-commit
bash .husky/pre-push

Why this setup matters with AI-generated code

• AI increases output speed and change volume.
• Hooks enforce baseline security and quality every single time.
• The checks run even when humans skip manual review steps.