Back to catalogue
SecurityPreToolUse· BashPreToolUseBefore tool execution · can block⚡ blocking
git push to main guardrail
Detects direct git push commands to main/master and blocks them to force going through a branch and a pull request.
Use cases
- Branch discipline
- Main branch protection
- GitFlow workflow
Providers & tags
Claude Code
#security#git#workflow#guardrail
settings.json fragment
{
"hooks": {
"PreToolUse": [
{
"hooks": [
{
"command": "node $CLAUDE_PROJECT_DIR/.claude/hooks/guard-push-main.mjs",
"type": "command"
}
],
"matcher": "Bash"
}
]
}
}Script · .claude/hooks/guard-push-main.mjs
#!/usr/bin/env node
// Bloque git push --force vers main/master (PreToolUse Bash)
import { readFileSync } from 'fs';
import { fileURLToPath } from 'url';
export function run(input) {
const command = input.tool_input?.command ?? '';
const isForce =
/git\s+push\b.*--force(?:-with-lease)?/.test(command) ||
/git\s+push\b.*-f\b/.test(command);
const isMain = /\b(main|master)\b/.test(command);
return isForce && isMain
? {
decision: 'block',
reason: 'Force-push vers main/master interdit. Créez une PR ou demandez confirmation explicite.',
}
: null;
}
/* v8 ignore next 5 */
if (process.argv[1] === fileURLToPath(import.meta.url)) {
const input = JSON.parse(readFileSync(0, 'utf8'));
const result = run(input);
if (result) process.stdout.write(JSON.stringify(result));
}