Skip to content


Repository files navigation

Pre-Commit Hooks for Mac Admins


This repository contains hooks for pre-commit that may be useful to Mac admins, client engineers, and other Apple-focused IT professionals.


To use these hooks, you first need to install pre-commit using the instructions here:

Adding hooks to your pre-commit config

For any hook in this repo you wish to use, add the following to your pre-commit config:

-   repo:
    rev: v1.16.2
    -   id: check-plists
    # -   id: ...

After adding a hook to your pre-commit config, it's not a bad idea to run pre-commit autoupdate to ensure you have the latest version of the hooks.

Hooks available


  • check-git-config-email

    This hook checks to ensure the Git config email matches one of the specified domains: args: ['--domains', '', '', '--']

  • check-munkipkg-buildinfo

    This hook checks MunkiPkg build-info files to ensure they are valid.

  • check-outset-scripts

    This hook checks Outset scripts to ensure they're executable.

  • check-plists

    This hook checks XML property list (plist) files for basic syntax errors. Does not modify or autoformat these files; see the format-xml-plist hook below if you want autoformatting.

  • format-xml-plist

    This hook will auto-format XML property list (plist) files to use tabs instead of spaces, and will alphabetically sort keys.

    NOTE: This will remove any HTML-style comments <!--like this--> in your plist files, so convert those to <key>Comment</key> format first.

  • check-autopkg-recipe-list

    This hook checks AutoPkg recipe lists (in txt, plist, yaml, or json format) for common issues.

  • check-autopkg-recipes

    This hook checks AutoPkg recipes to ensure they meet various requirements and conventions.

    • Optionally specify your preferred AutoPkg recipe and/or override prefix, if you wish to enforce them: args: ['--override-prefix=com.yourcompany.autopkg.']
      (default: local.)
      args: ['--recipe-prefix=com.github.yourusername.']
      (default: com.github.)

    • Optionally specify the version of AutoPkg for which you want to ignore MinimumVersion mismatches with processors. args: ['--ignore-min-vers-before=0.5.0']
      (default: 1.0.0)
      Specifying 0.1.0 will not ignore any MinimumVersion mismatches.

    • If you're a purist, you can also enable strict mode. This enforces recipe type conventions, all processor/MinimumVersion mismatches, forbids <!-- --> style comments, and ensures all processor input variables (arguments) are valid.
      args: ['--strict']
      (default: False)

  • forbid-autopkg-overrides

    This hook prevents AutoPkg overrides from being added to the repo.

  • forbid-autopkg-trust-info

    This hook prevents AutoPkg recipes with trust info from being added to the repo.

  • check-jamf-extension-attributes

    This hook checks Jamf extension attributes for common issues. (Looks for EAs in a path containing jamf/extension_attributes or jss/extension_attributes.)

  • check-jamf-scripts

    This hook checks Jamf scripts for common issues. (Looks for scripts in a path containing jamf/scripts or jss/scripts.)

  • check-jamf-profiles

    This hook checks Jamf profiles for common issues. (Looks for profiles in a path containing jamf/profiles or jss/profiles.)

  • check-munki-pkgsinfo

    This hook checks Munki pkginfo files to ensure they are valid.

    • Specify your preferred list of pkginfo catalogs, if you wish to enforce it, followed by -- to signal the end of the list: args: ['--catalogs', 'testing', 'stable', '--']

    • Specify your preferred list of pkginfo categories, if you wish to enforce it, followed by --: args: ['--categories', 'Productivity', 'Design', 'Utilities', 'Web Browsers', '--']

    • Specify required pkginfo keys, followed by --: args: ['--required-keys', 'category', 'description', 'developer', 'name', 'version', '--'] (default: description, name)

    • Specify an alternate munki repo location by passing the argument: args: ['--munki-repo', './my_repo_location'] (default: ".")

    • Choose to just warn on missing icons with a flag, note if no other issues exist this will allow pre-commit to pass without seeing the warnings: args: ['--warn-on-missing-icons]

    • Add additional shebangs that are valid for your environment: args: ['--valid-shebangs', '#!/bin/macadmin/python37', '#!/bin/macadmin/python42', '--']

  • check-munkiadmin-scripts

    This hook ensures MunkiAdmin scripts are executable.

  • munki-makecatalogs

    This hook runs the "makecatalogs" command to ensure all referenced packages are present and catalogs are up to date.

    • Specify an alternate munki repo location by passing the argument: args: ['--munki-repo', './my_repo_location'] (default: ".")

Note about combining arguments

When combining arguments that take lists (for example: --required-keys, --catalogs, and --categories), only the last list needs to have a trailing --. For example, if you use the check-munki-pkgsinfo hook with only the --catalogs argument, your yaml config would look like this:

-   repo:
    rev: v1.16.2
    -   id: check-munki-pkgsinfo
        args: ['--catalogs', 'testing', 'stable', '--']

But if you also use the --categories argument, you would move the trailing -- to the end, after all the lists, like this:

-   repo:
    rev: v1.16.2
    -   id: check-munki-pkgsinfo
        args: ['--catalogs', 'testing', 'stable', '--categories', 'Design', 'Engineering', 'Web Browsers', '--']

The -- only serves as a signal to the hook that the list of arguments is complete, and is only needed for "list" type arguments.

If it looks better to your eye, feel free to use a multi-line list for long arguments:

-   repo:
    rev: v1.16.2
    -   id: check-munki-pkgsinfo
        args: [
            '--required-keys', 'description', 'name', 'developer', 'category', 'version',
            '--catalogs', 'testing', 'stable',
            '--categories', 'Communication', 'Design', 'Engineering', 'macOS', 'Printers',
                'Productivity', 'Security',  'Utilities', 'Web Browsers',


If you find my hooks useful, you may also want to use one or more of the Python, Markdown, and Git-related hooks listed here:

Specifically, here are a few I use for Mac admin work:

  • check-added-large-files
  • check-executables-have-shebangs
  • check-merge-conflict
  • check-yaml
  • detect-aws-credentials
  • detect-private-key
  • mixed-line-ending
  • no-commit-to-branch
  • trailing-whitespace