diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index f980204..965b1ec 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -1,6 +1,6 @@
 - id: ggshield-not-ci
   name: GitGuardian Shield (pre-commit)
-  entry: bash -c 'if [[ ! -z ${CI}} ]]; then ggshield secret scan pre-commit; fi'
   description: Runs ggshield in non-CI environments to detect hardcoded secrets, security vulnerabilities and policy breaks.
   stages: [commit]
-  language: system
+  entry: hooks/ggshield-not-ci.sh
+  language: script
diff --git a/hooks/ggshield-not-ci.sh b/hooks/ggshield-not-ci.sh
new file mode 100755
index 0000000..cafb800
--- /dev/null
+++ b/hooks/ggshield-not-ci.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+if [[ ! -z "${CI}"} ]]; then
+  ggshield secret scan pre-commit
+fi