According to the 2025 State of Cloud Security Report, 85% of organizations have plaintext secrets embedded in their source code repositories. If these repositories are public or breached, attackers can extract secrets to access systems, exfiltrate data, escalate privileges, and more.

Secrets exposure remains a common but highly preventable risk. The key is catching secrets before they enter your codebase or reach shared repositories, ideally as early in the development process as possible.

To help organizations achieve this, Orca provides Git hooks that integrate Secret Detection directly into the developer workflow. These include a pre-commit hook that runs locally on a developer’s machine and a pre-receive hook that runs on the source code manager (SCM) server. Together, they enable organizations to enforce layered, scalable, and efficient controls to block secrets before they become embedded in Git history.

What are Git hooks and why do they matter?

Git hooks are customizable scripts that run automatically during specific stages of a Git workflow. They’re widely used for enforcing policies, validating code, and detecting sensitive information like API keys, tokens, passwords, and other secrets.

Once a secret is committed and pushed to a remote repository, removing it is far from simple. Even with Git history rewriting, some SCM platforms may retain cached or mirrored data, making full remediation unreliable and incomplete.

Git hooks help shift security left by catching secrets at the earliest possible stage, before they ever leave a developer’s machine or reach a shared repository.

Orca’s Git hooks provide two complementary layers of protection:

  • Pre-commit hook: Runs on a developer’s local machine before a commit is finalized. It provides fast, immediate feedback and prevents secrets from ever being introduced into version control. 
  • Pre-receive hook: Runs on the SCM server, such as GitLab Self-Managed or Bitbucket Datacenter, before accepting a push. It ensures consistent enforcement across all teams, regardless of local setup.

Both hooks can be used independently or in tandem, providing flexibility for security teams to align with their organization’s workflows and risk profile.

What Orca’s Git Hooks Provide

Orca’s Git hooks offer proactive, scalable, and developer-friendly protection against credential exposure. Here’s what you get with Orca.

Local control with pre-commit hooks

Orca’s pre-commit hook helps developers stop mistakes before they happen. It scans for secrets automatically before a commit is made, alerting the developer in real time if a secret is detected. This allows the developer to fix the issue before it enters the codebase, keeping secrets out of version control entirely.

With the Orca CLI, teams can:

  • Easily install the pre-commit hook across individual or multiple repositories
  • Use global pre-commit hooks to cover all existing and future Git repositories on a developer’s machine
  • Catch issues early, improving security and code quality without disrupting workflows

This local-first approach helps build secure coding habits by giving developers the tools and feedback they need, right where they work.

Orca’s global pre-commit hook prevents secrets disclosure locally across all repositories, existing and new

Centralized enforcement with pre-receive hooks

Orca’s pre-receive hook strengthens organizational guardrails by enforcing Secret Detection at the SCM server level. It provides a reliable enforcement point that applies policies uniformly across all teams, regardless of whether local pre-commit hooks are installed or bypassed.

Once installed via the Orca CLI, the pre-receive hook ensures that even if a secret bypasses local checks, it won’t make it into the repository.

Orca’s pre-receive hook blocks a git push due to secrets being detected

To reduce friction, Orca allows developers to bypass the pre-receive hook on a push-by-push basis, providing flexibility for edge cases without weakening security posture.

Fast and efficient scans

Both Git hooks are optimized for speed and efficiency. Orca scans only the changes being committed or pushed, avoiding unnecessary performance overhead. Developers receive immediate feedback when a secret is found, so they can resolve the issue and continue their work without delays.

This ensures security remains a seamless part of the development process, fast, automated, and built-in from the start.

About the Orca Cloud Security Platform

Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Cloud Security Platform leverages Orca’s patented SideScanning™ technology to provide complete coverage and comprehensive risk detection. 

Learn More

Interested in discovering the benefits of the Orca Cloud Security Platform and its Application Security (AppSec) capabilities? Schedule a personalized 1:1 demo.