feat: add block-no-verify hook to prevent git hook bypass#203
Closed
tupe12334 wants to merge 1 commit intomicrosoft:mainfrom
Closed
feat: add block-no-verify hook to prevent git hook bypass#203tupe12334 wants to merge 1 commit intomicrosoft:mainfrom
tupe12334 wants to merge 1 commit intomicrosoft:mainfrom
Conversation
Adds block-no-verify@1.1.2 as a PreToolUse hook in .claude/settings.json to detect and block attempts to bypass git hooks. Also documents the git hook safety policy in Agents.md. Closes #202
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
block-no-verify@1.1.2as a PreToolUse hook in.claude/settings.jsonto block git commands that attempt to bypass hooksAgents.mdunder a new "Git Hook Safety" sectionProblem
The current
.claude/settings.jsonhas PreToolUse hooks forTask— but nothing prevents an agent from using the bypass flags ongit commitorgit push, which silently skips all pre-commit/pre-push hooks (tests, linting, secret scanning, etc).Solution
block-no-verifyis a purpose-built hook that reads Claude Code's PreToolUse stdin payload and exits non-zero if it detects:--no-verifyflag on any git subcommand-nshorthand ongit commitcore.hooksPathoverride pointing to/dev/nullZero configuration — just add it as a
BashPreToolUse hook.Changes
Test plan
git commitnormally — should pass throughgit commitwith bypass flags — should be blocked with a clear messageAgents.mdrenders cleanly in GitHubCloses #202