diff options
Diffstat (limited to 'githooks')
| -rwxr-xr-x | githooks/pre-commit | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/githooks/pre-commit b/githooks/pre-commit deleted file mode 100755 index 909cde2..0000000 --- a/githooks/pre-commit +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -# Pre-commit hook: secret scan + paren validation on staged .el files. -# Use `git commit --no-verify` to bypass for confirmed false positives. - -set -u - -REPO_ROOT="$(git rev-parse --show-toplevel)" -cd "$REPO_ROOT" - -# --- 1. Secret scan --- -# Patterns for common credentials. Scans only added lines in the staged diff. -SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])' - -secret_hits="$(git diff --cached -U0 --diff-filter=AM \ - | grep '^+' | grep -v '^+++' \ - | grep -iEn "$SECRET_PATTERNS" || true)" - -if [ -n "$secret_hits" ]; then - echo "pre-commit: potential secret in staged changes:" >&2 - echo "$secret_hits" >&2 - echo "" >&2 - echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2 - echo "bypass with: git commit --no-verify" >&2 - exit 1 -fi - -# --- 2. Paren check on staged .el files --- -staged_el="$(git diff --cached --name-only --diff-filter=AM | grep '\.el$' || true)" - -if [ -n "$staged_el" ]; then - paren_fail="" - while IFS= read -r f; do - [ -z "$f" ] && continue - [ -f "$f" ] || continue - if ! out="$(emacs --batch --no-site-file --no-site-lisp "$f" \ - --eval '(check-parens)' 2>&1)"; then - paren_fail="${paren_fail}${f}: -${out} - -" - fi - done <<< "$staged_el" - - if [ -n "$paren_fail" ]; then - printf 'pre-commit: paren check failed:\n\n%s' "$paren_fail" >&2 - exit 1 - fi -fi - -exit 0 |