Pre-Commit Scan

Pre-Commit Scanning

Pre-commit scanning is a critical feature designed to enhance security by identifying issues before code is committed to a repository. Traditionally, scanning is performed after a commit, which introduces a window of risk — vulnerable code may already be committed before issues are flagged, reviewed, and fixed. This gap can lead to security exposure. With pre-commit scanning, Flyingduck enforces true shift-left security, closing that gap entirely.

Why Pre-Commit?

  • Shift Left Security: Identify and resolve vulnerabilities before they enter your codebase.
  • Preventative Approach: Blocks risky commits early in the development lifecycle.
  • Minimize Remediation Cycles: Avoid repeated cycles of commit → scan → fix → re-commit.
  • Integrated Developer Workflow: Works automatically as part of Git operations.

Prerequisites

Before using pre-commit scanning:

  1. Docker desktop must be installed in the system. Install Docker Desktop (Official Documentation) (opens in a new tab).
  2. Run in your IDE terminal to verify whether properly installed or not:
docker run hello-world

You should see an output similar to the following if Docker is installed and running correctly:

Hello from Docker!
This message shows that your installation appears to be working correctly.
 
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
  (amd64)
3. The Docker daemon created a new container from that image which runs the
  executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
  to your terminal.
  1. Ensure the repository is integrated with the Flyingduck portal.
  2. Clone the repository to your local machine.

Setup Instructions

Step 1: Create Pre-Commit Configuration

Open your repository in IDE, navigate to .git/hooks by following your favourite editor and then create a file named pre-commit.ps1 with the following content:

# pre-commit.ps1
$REPO_ROOT = & git rev-parse --show-toplevel
Write-Output "Running Flyingduck security tests on $REPO_ROOT"
 
docker run -v "${REPO_ROOT}:/src" --entrypoint /bin/bash flyingduckio/duckdefender:latest -c "duckdefender pre-commit --sca --secrets --sast"
$EXIT_CODE = $LASTEXITCODE
 
if ($EXIT_CODE -eq 0) {
    Write-Output "Git commit passed all Flyingduck security tests successfully (exit code $EXIT_CODE)"
} elseif ($EXIT_CODE -eq 1) {
    Write-Output "Git commit failed due to security issues detected by Flyingduck (exit code $EXIT_CODE)"
}
 
exit $EXIT_CODE

In the same directory along with pre-commit.ps1, create pre-commit file with the follwing content:

#!/usr/bin/env bash
 
powershell -ExecutionPolicy Bypass -File ./.git/hooks/pre-commit.ps1

Step 2: Commit Your Code

Pre-commit scanning runs automatically during the commit process. No manual scan trigger is needed.

Example:

git add .
git commit -m "your commit message"

Authentication

The first time you commit after enabling pre-commit, you’ll be prompted to log in using your Flyingduck credentials.

login

To log in with your Flyingduck credentials, run the following command in powershell:

docker run -it -v ${PWD}:/src --rm --entrypoint /bin/bash flyingduckio/duckdefender:latest -c "duckdefender login"
  • A file named .duckdefender will be created inside .git/hooks.
  • This stores your login session securely.
  • The session is valid for one week, after which you'll be prompted to log in again — a security measure.

After logging in, the initial commit will not go through. To initiate the scans, please make the commit again.

Once the commit is made, pre-commit will be triggered and it will run scans for:

  • SCA (Software Composition Analysis) login
  • Secrets login
  • SAST (Static Application Security Testing) login

If any vulnerabilities or issues are detected by the configured scanners, the commit will be blocked until the problems are resolved.

Bypassing Pre-Commit Scanning (Not recommended)

In rare cases, you might want to bypass pre-commit scanning — for example, during high-priority deployments or when a quick hotfix needs to be pushed.

Pre-commit is designed to block commits when issues are found. To skip the scan:

git commit -m "your commit message" --no-verify
🚫

This skips security checks. Use it only when necessary and ensure follow-up validation is performed.

Summary

FeatureDescription
Integrated ScanRuns on every git commit automatically
Blocks on IssuesCommit is blocked if vulnerabilities are found
AuthenticationOne-time login valid for 7 days
Bypass OptionUse --no-verify to skip scan temporarily
Security FirstPrevents vulnerable code from entering repositories

Flyingduck's pre-commit scanning brings security to the developer's fingertips — stopping vulnerabilities before they are ever committed.

You only need to set up pre-commit once per repository. After setup, it works silently and automatically during your regular workflow.

JenkinsReachability Analysis