TLDR: Set up infisical scan as a pre-commit hook. One git push with a hardcoded API key and it is in the repo history forever. AI-generated code is especially risky. Takes 5 minutes to set up.
All the Docker isolation in the world does not help if you commit a secret to git.
Setup
Infisical CLI detects 140+ secret types (AWS keys, Stripe tokens, JWTs, private keys):
infisical scan # scan current directory and git historyinfisical scan --no-git # scan files only, skip git historyPre-commit hook
Create .git/hooks/pre-commit:
#!/bin/bashecho "Scanning for secrets..."git diff --cached --name-only -z | xargs -0 infisical scan --no-git 2>&1
if [ $? -ne 0 ]; then echo "" echo "ERROR: Secrets detected in staged files." echo "Remove them and try again." echo "Override: git commit --no-verify" exit 1fichmod +x .git/hooks/pre-commitTeam enforcement
Use a shared hooks directory so everyone gets the hook automatically:
mkdir -p .githookscp .git/hooks/pre-commit .githooks/pre-commitgit config core.hooksPath .githooksCommit .githooks/ to the repo.
AI-generated code is especially risky
AI agents sometimes generate code with hardcoded credentials from training data or context. Always review AI-generated commits. The pre-commit scanner is your safety net.