Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Pre-Commit Hooks for Mac Admins


This repository contains hooks for pre-commit that may be useful to Mac admins, client engineers, and other Apple-focused IT professionals.


To use these hooks, you first need to install pre-commit using the instructions here:

Adding hooks to your pre-commit config

For any hook in this repo you wish to use, add the following to your pre-commit config:

-   repo:
    rev: v1.10.1
    -   id: check-plists
    # -   id: ...

After adding a hook to your pre-commit config, it's not a bad idea to run pre-commit autoupdate to ensure you have the latest version of the hooks.

Hooks available


  • check-git-config-email

    This hook checks to ensure the Git config email matches one of the specified domains: args: ['--domains', '', '', '--']

  • check-plists

    This hook checks XML property list (plist) files for basic syntax errors.

  • check-munkipkg-buildinfo

    This hook checks MunkiPkg build-info files to ensure they are valid.

  • check-outset-scripts

    This hook checks Outset scripts to ensure they're executable.


  • check-autopkg-recipe-list

    This hook checks AutoPkg recipe lists (in txt, plist, yaml, or json format) for common issues.

  • check-autopkg-recipes

    This hook checks AutoPkg recipes to ensure they meet various requirements and conventions.

    • Optionally specify your preferred AutoPkg recipe and/or override prefix, if you wish to enforce them: args: ['--override-prefix=com.yourcompany.autopkg.']
      (default: local.)
      args: ['--recipe-prefix=com.github.yourusername.']
      (default: com.github.)

    • Optionally specify the version of AutoPkg for which you want to ignore MinimumVersion mismatches with processors. args: ['--ignore-min-vers-before=0.5.0']
      (default: 1.0.0)
      Specifying 0.1.0 will not ignore any MinimumVersion mismatches.

    • If you're a purist, you can also enable strict mode. This enforces recipe type conventions, all processor/MinimumVersion mismatches, forbids <!-- --> style comments, and ensures all processor input variables (arguments) are valid.
      args: ['--strict']
      (default: False)

  • forbid-autopkg-overrides

    This hook prevents AutoPkg overrides from being added to the repo.

  • forbid-autopkg-trust-info

    This hook prevents AutoPkg recipes with trust info from being added to the repo.


  • check-jamf-extension-attributes

    This hook checks Jamf extension attributes for common issues. (Looks for EAs in a path containing jamf/extension_attributes or jss/extension_attributes.)

  • check-jamf-scripts

    This hook checks Jamf scripts for common issues. (Looks for scripts in a path containing jamf/scripts or jss/scripts.)

  • check-jamf-profiles

    This hook checks Jamf profiles for common issues. (Looks for profiles in a path containing jamf/profiles or jss/profiles.)


  • check-munki-pkgsinfo

    This hook checks Munki pkginfo files to ensure they are valid.

    • Specify your preferred list of pkginfo catalogs, if you wish to enforce it, followed by -- to signal the end of the list:
      args: ['--catalogs', 'testing', 'stable', '--']

    • Specify your preferred list of pkginfo categories, if you wish to enforce it, followed by --:
      args: ['--categories', 'Productivity', 'Design', 'Utilities', 'Web Browsers', '--']

    • Specify required pkginfo keys, followed by --:
      args: ['--required-keys', 'category', 'description', 'developer', 'name', 'version', '--']
      (default: description, name)

  • check-munkiadmin-scripts

    This hook ensures MunkiAdmin scripts are executable.

  • munki-makecatalogs

    This hook runs the "makecatalogs" command to ensure all referenced packages are present and catalogs are up to date.

Note about combining arguments

When combining arguments that take lists (for example: --required-keys, --catalogs, and --categories), only the last list needs to have a trailing --. For example, if you use the check-munki-pkgsinfo hook with only the --catalogs argument, your yaml config would look like this:

-   repo:
    rev: v1.10.1
    -   id: check-munki-pkgsinfo
        args: ['--catalogs', 'testing', 'stable', '--']

But if you also use the --categories argument, you would move the trailing -- to the end, after all the lists, like this:

-   repo:
    rev: v1.10.1
    -   id: check-munki-pkgsinfo
        args: ['--catalogs', 'testing', 'stable', '--categories', 'Design', 'Engineering', 'Web Browsers', '--']

The -- only serves as a signal to the hook that the list of arguments is complete, and is only needed for "list" type arguments.

If it looks better to your eye, feel free to use a multi-line list for long arguments:

-   repo:
    rev: v1.10.1
    -   id: check-munki-pkgsinfo
        args: [
            '--required-keys', 'description', 'name', 'developer', 'category', 'version',
            '--catalogs', 'testing', 'stable',
            '--categories', 'Communication', 'Design', 'Engineering', 'macOS', 'Printers',
                'Productivity', 'Security',  'Utilities', 'Web Browsers',


If you find my hooks useful, you may also want to use one or more of the Python, Markdown, and Git-related hooks listed here:

Specifically, here are a few I use for Mac admin work:

  • check-added-large-files
  • check-executables-have-shebangs
  • check-merge-conflict
  • check-yaml
  • detect-aws-credentials
  • detect-private-key
  • mixed-line-ending
  • no-commit-to-branch
  • trailing-whitespace