Pre-commit hooks catch linting and formatting violations at commit time — seconds after the code is written — rather than in CI (minutes later) or code review (hours or days later). Without hooks, malformatted code enters the repository freely, and style violations accumulate until code review becomes dominated by formatting comments instead of logic review. ISO 25010 maintainability.modifiability degrades as the codebase becomes harder to read. SSDF PW.7 recognizes automated code review tooling as a software assurance control.
Low because absent git hooks allow preventable style and lint violations to enter the codebase, increasing review burden, but CI and code review provide a slower fallback.
Set up Husky and lint-staged to enforce linting on every commit:
npm install -D husky lint-staged
npx husky init
echo "npx lint-staged" > .husky/pre-commit
Add to package.json:
"lint-staged": {
"*.{ts,tsx}": ["eslint --fix", "prettier --write"],
"*.{json,md,css}": ["prettier --write"]
}
After setup, every git commit lints and formats staged files automatically. Commits that fail linting are blocked until the issues are resolved. If CI already runs npm run lint on every PR, this check can be skipped — see the skip criteria.
ID: code-maintainability.code-hygiene.git-hooks
Severity: low
What to look for: Check for git hook configuration: .husky/ directory with pre-commit hook file, .lefthook.yml or lefthook.json, simple-git-hooks configuration in package.json, or any other git hooks manager. Also check package.json for lint-staged configuration, which typically runs ESLint/Prettier on staged files. The hook should at minimum run linting or formatting on changed files before commit.
Pass criteria: Count all git hook configuration files in the project (.husky/*, lefthook.yml, etc.). A pre-commit hook is configured that runs linting or formatting on staged files before commit is allowed. Extract and quote the pre-commit hook command or lint-staged config to verify it runs at least 1 linting or formatting tool. Report which hook manager is used even on pass.
Fail criteria: No git hook configuration found — no .husky/, no lefthook, no simple-git-hooks, no lint-staged in package.json. Do NOT pass when a hook manager is installed but the pre-commit hook file is empty or contains only comments.
Skip (N/A) when: The project's CI pipeline enforces lint checks on every pull request (substitute for hooks). Signal: .github/workflows/*.yml files that run npm run lint or npm run type-check on PRs. In this case, skip with a note.
Detail on fail: "No pre-commit hooks configured (no .husky/, lefthook, or lint-staged found). Linting and formatting are not enforced before commits — code style violations can be committed freely." or "lint-staged listed in devDependencies but no configuration found in package.json and no .husky/ directory."
Remediation: Pre-commit hooks prevent malformatted or linting-failed code from entering the repository. They catch issues instantly (at commit time) rather than in CI (minutes later) or code review (hours/days later).
Set up Husky + lint-staged:
npm install -D husky lint-staged
npx husky init
echo "npx lint-staged" > .husky/pre-commit
Add to package.json:
"lint-staged": {
"*.{ts,tsx}": ["eslint --fix", "prettier --write"],
"*.{json,md,css}": ["prettier --write"]
}
After setup, every git commit will automatically lint and format the staged files. Commits that fail linting are blocked until the issues are resolved.