Git hooks
The surest way to keep a secret out of your history is to never let it be
committed. kovra hooks install drops a pre-commit hook into a repo that
scans the staged diff and fails the commit on a finding.
Install it
Section titled “Install it”Run it inside the repository you want to protect:
~ % kovra hooks installWrote ./.gitleaks.tomlInstalled the gitleaks pre-commit hook at ./.git/hooks/pre-commit.Windows — coming soon. The same model on Windows Hello + Credential Manager.
It writes a gitleaks-based pre-commit hook
into .git/hooks/pre-commit and a .gitleaks.toml config you can tune. From then
on, every git commit scans what you staged; a likely secret aborts the commit
before it ever enters history.
It won’t silently replace a pre-commit hook you already have — re-run with
--force to overwrite an existing one.
Why a hook and the vault
Section titled “Why a hook and the vault”The vault keeps secrets out of your code in the first place, and .env.refs holds
only addresses — but a hook is the backstop for the mistake everyone eventually
makes: pasting a real value into a file “just for a second.” Defense in depth means
the commit is blocked even when the discipline slips.
Related checks
Section titled “Related checks”kovra doctorvalidates a project’s.env.refs— wire it into CI to fail a build on drift.kovra scaffoldproposes an.env.refsfrom your source, so you wire secrets by address, never by value.