AI Pre-Commit Review: A 60-Second Self-Check Before Every Commit

Wire an AI agent into your git workflow to scan the staged diff before you commit. Catches leftover debug code, leaked secrets, and null bugs in under a minute.

Reverting a bad commit costs you a force-push, a broken CI run, and an awkward “sorry, my bad” in Slack. A pre-commit self-review costs 60 seconds. The problem was never the value of the check — it was the friction. An AI agent that reads your staged diff on one keystroke removes the friction, so the check actually happens.

This is not PR review. It is the cheap pass you run on your own work, before anyone else sees it.

TL;DR

  • Bind a review prompt to a single command (/precommit in Claude Code, a saved prompt in Cursor) that reads git diff --staged.
  • Scope it to five concrete categories: leftover debug code, hardcoded secrets, null/undefined bugs, off-by-one errors, and files that should never be committed.
  • Layer a deterministic secret scanner (gitleaks git --staged, v8.30.1 as of June 2026) under it — AI catches logic smells, gitleaks catches every API key.
  • Expect 60 seconds and one or two real flags per session. The rest is noise; use judgment.

Who this is for

Anyone pushing 5+ commits a day, and solo developers especially. With no teammate downstream, your staged diff is the last checkpoint before main. The workflow also pays off when an AI agent (Claude Code, Cursor, Codex) wrote the diff — agent-generated code ships confident-looking bugs that a focused second read catches fast.

When to skip it: throwaway typo fixes and private work-in-progress branches no one else watches. Spend the 60 seconds on branches that ship.

Step by step

The whole point is one keystroke. Set it up once.

1. Create the command. In Claude Code, custom slash commands are Markdown files in .claude/commands/ (project-scoped, version-controlled) or ~/.claude/commands/ (personal). Create .claude/commands/precommit.md:

---
description: Review the staged diff before committing
allowed-tools: Bash(git diff:*), Bash(git status:*)
---
Run `git diff --staged` and review only what is about to be committed.

Flag ONLY these, with file and line number:
- Forgotten debug code: console.log, debugger, dbg!(), print/printf not behind a flag, commented-out blocks
- Hardcoded secrets, API keys, tokens, or connection strings
- Null / undefined / type errors and unhandled error paths
- Off-by-one or boundary mistakes in loops and slices
- Files that should not ship: .env, .DS_Store, build artifacts, large binaries

Do NOT flag style, naming, or refactor ideas. If nothing is wrong, say "clean" in one line.

In Cursor, save the same prompt body as a reusable snippet or a .cursor/rules entry and invoke it from chat with the staged diff attached.

2. Stage exactly what you mean to commit. Run git add -p so the agent reviews the real diff, not a mix of staged and unstaged changes. Reviewing unstaged work is the most common way this goes sideways — the agent flags lines you were never going to ship.

3. Run the command. Type /precommit. The agent reads git diff --staged and returns a short flag list.

4. Triage. Most flags are noise; one or two are usually real. Fix the real ones in place, git add the fixes, and re-run if you staged anything new.

5. Commit yourself, with intent. Do not let the agent run git commit. You own the commit message and the decision to ship.

Pair it with a deterministic secret scanner

An LLM is good at logic smells and bad at being exhaustive — it can miss a secret on a tired re-read. So back it with a tool that never gets tired. Gitleaks (v8.30.1, released March 2026) scans only the staged diff and exits non-zero on a hit, blocking the commit:

gitleaks git --staged --verbose

Note the protect --staged form was deprecated in v8.19.0; git --staged is the current command. On a few-hundred-line diff it runs in well under a second.

Wire both into a pre-commit hook so it is genuinely automatic. With Lefthook (faster than Husky because it runs jobs in parallel), lefthook.yml:

pre-commit:
  parallel: true
  commands:
    secrets:
      run: gitleaks git --staged --verbose
    lint:
      glob: "*.{js,ts,tsx}"
      run: npm run lint -- {staged_files}

Run lefthook install once. Now every git commit runs gitleaks and lint automatically; the AI review stays a deliberate /precommit call because judgment shouldn’t be a blocking gate.

LayerToolCatchesBlocking?
Deterministicgitleaks git --stagedEvery secret / key patternYes (hook)
DeterministicESLint / Biome via LefthookLint + type smellsYes (hook)
JudgmentAI agent /precommitLogic bugs, off-by-one, leftover debugNo (manual)

Tune the flag list to your stack

The default prompt is language-agnostic. Tighten it:

  • Rust: add dbg!(), stray .unwrap() on fallible calls, #[allow(dead_code)] left in.
  • TypeScript: add any types, non-null assertions (!), and @ts-ignore without a reason.
  • Python: add bare except:, print() debugging, and breakpoint().
  • Go: add fmt.Println debugging and ignored errors (_ =).

Always include the “do NOT flag” line. Without it, the agent drifts into naming and refactor suggestions, the flag list balloons, and you stop reading it — which defeats the whole point.

A real Friday-evening pass: /precommit on a staged diff flagged a leftover debugger statement and a .env that git add . had swept in. Both fixed in 20 seconds, committed clean, no weekend incident. If the same commit is about to ship to Firebase Hosting, run an AI Firebase deploy checks pass right after to catch rewrite-order and region issues before they hit production.

FAQ

  • Does this replace PR code review?: No. It is a pre-filter on your own commits, before anyone else looks. Real review still happens at PR time with a human reviewer who understands the feature’s intent.
  • Won’t a 60-second check slow me down?: It is 60 seconds, and the secret scanner is sub-second. The first time it catches a committed .env or an API key, it has paid for the year — rotating a leaked key and rewriting git history costs hours.
  • Which model should run the review?: Any current frontier model handles a small staged diff well. Claude Code runs Anthropic models only (Sonnet 4.6 is plenty for this; Opus 4.7 for large diffs). Cursor lets you pick Sonnet 4.6, GPT-5.5, or Gemini 3.1 Pro. The task is small, so model choice barely matters — keystroke speed matters more.
  • Why not just rely on the AI for secrets too?: LLMs are probabilistic and can miss a key on a long diff. gitleaks is regex-and-entropy based and deterministic, so it never has an off day. Use the AI for judgment, the scanner for coverage.
  • Should the agent commit for me?: No. Keep git commit in your hands so you own the message and the intent. Let the agent review, not decide.

Tags: #AI coding #Tutorial #Workflow