I wrote a post on X (i.e. Tweet) showing how Amp can prevent vulnerable code from being committed. Here is how it’s done!
Create pre-commit hook
mv .git/hooks/pre-commit.sample .git/hooks/pre-commit
If pre-commit.sample is in the hooks directory this won’t work.
Copy and paste script below to pre-commit
#!/bin/bash
# Paste this in .git/hooks/pre-commit
echo "Running Amp code review pre-commit hook..."
# Get all staged files that are being added, modified, or copied (not deleted)
# Use --diff-filter=ACM to exclude deleted files
files=$(git diff --cached --name-only --diff-filter=ACM)
# Exit successfully if no files are staged
if [ -z "$files" ]; then
echo "No files to review. Proceeding with commit."
exit 0
fi
echo "Files to review: $files"
# Review code with Amp
for file in $files; do
if [ -f "$file" ]; then
# Determine file type for customized prompt
file_extension="${file##*.}"
file_type="code"
case "$file_extension" in
js|jsx|ts|tsx) file_type="JavaScript/TypeScript" ;;
html|htm) file_type="HTML" ;;
css|scss|sass) file_type="CSS/SCSS" ;;
json) file_type="JSON" ;;
py) file_type="Python" ;;
*) file_type="code" ;;
esac
echo "Reviewing $file with Amp..."
# Get content of staged version of the file
staged_content=$(git show ":$file")
# Make sure content is not empty
if [ -n "$staged_content" ]; then
# Send to Amp for review and capture output
review_result=$(echo "Review this $file_type for bugs and security issues: $staged_content" | amp --no-color)
# Display the review results
echo "Amp review for $file:"
echo "$review_result"
# Ask if user wants to proceed with commit
read -p "Proceed with commit after this review? (y/n) " proceed
if [ "$proceed" != "y" ]; then
echo "Commit aborted by user after code review."
exit 1
fi
else
echo "No content to review in $file, skipping."
fi
else
echo "File $file does not exist, skipping."
fi
done
echo "Amp code review complete. Proceeding with commit."
exit 0
Create a test .tsx file
export default function HelloWorld() {
const userInput = "console.log('Hello')";
const processInput = () => {
eval(userInput);
};
return (
<List>
<List.Item
title="Hello World"
actions={
<ActionPanel>
<Action.CopyToClipboard content="Hello World" onAction={processInput} />
</ActionPanel>
}
/>
</List>
);
}
Try it
git add .
git commit -m "Testing"
Results
Running Amp code review pre-commit hook...
Files to review: src/unsafe-eval.tsx
Reviewing src/unsafe-eval.tsx with Amp...
Amp review for src/unsafe-eval.tsx:
The code has a critical security vulnerability with `eval()`, which executes arbitrary JavaScript. Even with hardcoded input, this pattern is dangerous. If `userInput` ever comes from an external source, it creates a severe security risk.
╭──────────────────────────────────────────────────────────────────────────────╮
│ Read src/unsafe-eval.tsx │
├──────────────────────────────────────────────────────────────────────────────┤
│ 1: export default function HelloWorld() { │
│ 2: const userInput = "console.log('Hello')"; │
│ 3: │
│ 4: │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ 10 more lines ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ 15: <Action.CopyToClipboard content="Hello World" onAction={p... │
│ 16: </ActionPanel> │
│ 17: } │
│ 18: /> │
│ 19: </List> │
│ 20: ); │
│ 21: } │
╰──────────────────────────────────────────────────────────────────────────────╯
╭──────────────────────────────────────────────╮
│ Edit src/unsafe-eval.tsx │
├──────────────────────────────────────────────┤
│ const userInput = "console.log('Hello')"; │
│ │
│ │
│ const processInput = () => { │
│ - eval(userInput); │
│ + console.log('Hello'); │
│ }; │
│ │
│ return ( │
│ <List> │
╰──────────────────────────────────────────────╯
Fixed by replacing the unsafe `eval()` with direct code.
Commit aborted by user after code review.
Summary
Sometimes the Amp agent will just fix the code, other times it just alerts you. Either way the commit is aborted. 