Block No-Verify Hook

PreToolUse hook configuration that intercepts and blocks bypass-flag usage before execution, ensuring AI agents cannot skip pre-commit hooks, GPG signing, or other git safety mechanisms.

Overview

AI coding agents (Claude Code, Codex, etc.) can run shell commands with flags like --no-verify that bypass pre-commit hooks. This defeats the purpose of linting, formatting, testing, and security checks configured in pre-commit hooks. The block-no-verify hook adds a PreToolUse guard that rejects any tool call containing bypass flags before execution.

Problem

When AI agents commit code, they may use bypass flags to avoid hook failures:

These commands skip pre-commit hooks entirely

git commit --no-verify -m "quick fix" git push --no-verify git commit --no-gpg-sign -m "unsigned commit" git merge --no-verify feature-branch

This allows:

• Unformatted code to enter the repository

• Linting errors to bypass checks

• Security scanning to be skipped

• Unsigned commits to bypass signing policies

• Test suites to be circumvented

Solution

Add a PreToolUse hook to .claude/settings.json that inspects every Bash tool call and blocks commands containing bypass flags.

Configuration

Add the following to your project's .claude/settings.json :

{ "hooks": { "PreToolUse": [ { "matcher": "Bash", "hook": { "type": "command", "command": "if printf '%s' "$TOOL_INPUT" | grep -qE '(^|&&|;|\|)\sgit\s+.--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: --no-verify and --no-gpg-sign flags are not allowed. Run the commit without bypass flags so that pre-commit hooks execute properly.' >&2; exit 2; fi" } } ] } }

How It Works

• Matcher: The hook targets only Bash tool calls, so it does not interfere with other tools (Read, Edit, Grep, etc.).

• Inspection: The $TOOL_INPUT environment variable contains the full command the agent is about to execute. The hook uses printf to safely pass input (avoiding echo pitfalls with special characters) and checks for --no-verify or --no-gpg-sign flags only when preceded by a git command.

• Blocking: If a bypass flag is found in a git command, the hook exits with code 2 and prints an error message. Exit code 2 signals Claude Code to reject the tool call entirely.

• Pass-through: If no bypass flag is found, the hook exits with code 0 and the command executes normally.

Exit Codes

Code Meaning

0 Allow the tool call to proceed

1 Error (tool call still proceeds, warning shown)

2 Block the tool call entirely

Blocked Flags

Flag Purpose Why Blocked

--no-verify

Skips pre-commit and commit-msg hooks Bypasses linting, formatting, testing, security checks

--no-gpg-sign

Skips GPG commit signing Bypasses commit signing policy

Installation

Per-Project Setup

Create or update .claude/settings.json in your project root:

mkdir -p .claude cat > .claude/settings.json << 'EOF' { "hooks": { "PreToolUse": [ { "matcher": "Bash", "hook": { "type": "command", "command": "if printf '%s' "$TOOL_INPUT" | grep -qE '(^|&&|;|\|)\sgit\s+.--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: --no-verify and --no-gpg-sign flags are not allowed. Run the commit without bypass flags so that pre-commit hooks execute properly.' >&2; exit 2; fi" } } ] } } EOF

Global Setup

To enforce across all projects, add to ~/.claude/settings.json :

mkdir -p ~/.claude cat > ~/.claude/settings.json << 'EOF' { "hooks": { "PreToolUse": [ { "matcher": "Bash", "hook": { "type": "command", "command": "if printf '%s' "$TOOL_INPUT" | grep -qE '(^|&&|;|\|)\sgit\s+.--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: --no-verify and --no-gpg-sign flags are not allowed. Run the commit without bypass flags so that pre-commit hooks execute properly.' >&2; exit 2; fi" } } ] } } EOF

Verification

Test that the hook blocks bypass flags:

This should be blocked by the hook:

git commit --no-verify -m "test"

This should succeed normally:

git commit -m "test"

Extending the Hook

Adding More Blocked Flags

To block additional flags (e.g., --force ), extend the grep pattern:

{ "hooks": { "PreToolUse": [ { "matcher": "Bash", "hook": { "type": "command", "command": "if printf '%s' "$TOOL_INPUT" | grep -qE '(^|&&|;|\|)\sgit\s+.--(no-verify|no-gpg-sign|force-with-lease|force)'; then echo 'BLOCKED: Bypass flags are not allowed.' >&2; exit 2; fi" } } ] } }

Combining with Other Hooks

The block-no-verify hook works alongside other PreToolUse hooks:

{ "hooks": { "PreToolUse": [ { "matcher": "Bash", "hook": { "type": "command", "command": "if printf '%s' "$TOOL_INPUT" | grep -qE '(^|&&|;|\|)\sgit\s+.--(no-verify|no-gpg-sign)'; then echo 'BLOCKED: Bypass flags not allowed.' >&2; exit 2; fi" } }, { "matcher": "Bash", "hook": { "type": "command", "command": "if printf '%s' "$TOOL_INPUT" | grep -qE 'rm\s+-rf\s+/'; then echo 'BLOCKED: Dangerous rm command.' >&2; exit 2; fi" } } ] } }

Best Practices

• Commit the settings file -- Add .claude/settings.json to version control so all team members benefit from the hook.

• Document in onboarding -- Mention the hook in your project's contributing guide so developers understand why bypass flags are blocked.

• Pair with pre-commit hooks -- The block-no-verify hook ensures pre-commit hooks run; make sure you have meaningful pre-commit hooks configured.

• Test after setup -- Verify the hook works by intentionally triggering it in a test commit.