Hamburger Cross Icon
Git Guardrails - Pre Commit Pinned Refs

Pre Commit Pinned Refs

Guardrail Git Guardrails Beta Devex Build And Ci
git.pre-commit-pinned-refs

Each repo entry in .pre-commit-config.yaml must have a rev pinned to an immutable ref (tag or commit SHA), not a floating branch like main, master, or HEAD. Floating refs let upstream hook changes land in the developer machine without review. Skips when no pre-commit config is present (paired with pre-commit-config-exists).

pre-commit pinned refs supply chain immutable
Get Started View All Git Guardrails

Compatible Integrations

This guardrail works with the following integrations. Click to see how to use Pre Commit Pinned Refs with each collector.

+
Pre Commit Pinned Refs + Git Collector Provides parsed config data under .git.* for all checks in this policy

Enable This Guardrail

Add the parent policy to your lunar-config.yml to enable this guardrail.

📄 lunar-config.yml 
policies:
  - uses: github://earthly/lunar-lib/policies/git@v1.0.5
    include: [pre-commit-pinned-refs]
    # with: ...

How This Guardrail Works

This guardrail is part of the Git Guardrails policy. It evaluates data collected by integrations and produces a pass/fail check with actionable feedback.

When enabled, this check runs automatically on every PR and in AI coding workflows, providing real-time enforcement of your engineering standards.

Learn How Lunar Works
1
Integrations Gather Data
Collectors extract metadata from code, CI pipelines, tool outputs, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
This Guardrail Checks Current
Pre Commit Pinned Refs runs and provides pass/fail feedback

Configuration Options

These inputs can be configured in your lunar-config.yml to customize how the parent policy (and this guardrail) behaves.

Input Required Default Description
secret_scan_hook_ids Optional gitleaks,detect-secrets,trufflehog,detect-aws-credentials,detect-private-key Comma-separated list of pre-commit hook IDs that count as secret scanners

Related Guardrails

Other guardrails in the Git Guardrails policy.

Guardrail Devex Build And Ci
Pre Commit Config Exists

Universal check — fails when no `.pre-commit-config.yaml` is found in the repository. Pre-commit is a low-friction way...
Guardrail Devex Build And Ci
Pre Commit Secret Scan Hook

Recommends that the pre-commit config include at least one secret-scanning hook (gitleaks, detect-secrets, trufflehog,...
Guardrail Devex Build And Ci
Pre Commit Ci Skip Empty

Flags non-empty `ci.skip` lists in `.pre-commit-config.yaml`. The `ci.skip` setting is a pre-commit.ci escape hatch that...
Guardrail Devex Build And Ci
Gitattributes Exists

Universal check — fails when no `.gitattributes` file is found in the repository. Even a minimal one (`* text=auto`)...
Guardrail Devex Build And Ci
Gitattributes Eol Normalized

Requires `.gitattributes` to declare EOL normalization (e.g. `* text=auto`, or `text` / `eol=` directives covering...
Guardrail Devex Build And Ci
Submodules No Floating Branches

Flags submodules that declare a `branch` field in `.gitmodules`, since that signals the submodule is intended to track a...
Git Guardrails

Git Guardrails

This guardrail is part of the Git Guardrails policy, which includes 7 guardrails for devex build and ci.

View Policy

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 200+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo