blob: 909cde22b4e93ad8807f952665c6fe6a879e62c2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#!/usr/bin/env bash
# Pre-commit hook: secret scan + paren validation on staged .el files.
# Use `git commit --no-verify` to bypass for confirmed false positives.
set -u
REPO_ROOT="$(git rev-parse --show-toplevel)"
cd "$REPO_ROOT"
# --- 1. Secret scan ---
# Patterns for common credentials. Scans only added lines in the staged diff.
SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])'
secret_hits="$(git diff --cached -U0 --diff-filter=AM \
| grep '^+' | grep -v '^+++' \
| grep -iEn "$SECRET_PATTERNS" || true)"
if [ -n "$secret_hits" ]; then
echo "pre-commit: potential secret in staged changes:" >&2
echo "$secret_hits" >&2
echo "" >&2
echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2
echo "bypass with: git commit --no-verify" >&2
exit 1
fi
# --- 2. Paren check on staged .el files ---
staged_el="$(git diff --cached --name-only --diff-filter=AM | grep '\.el$' || true)"
if [ -n "$staged_el" ]; then
paren_fail=""
while IFS= read -r f; do
[ -z "$f" ] && continue
[ -f "$f" ] || continue
if ! out="$(emacs --batch --no-site-file --no-site-lisp "$f" \
--eval '(check-parens)' 2>&1)"; then
paren_fail="${paren_fail}${f}:
${out}
"
fi
done <<< "$staged_el"
if [ -n "$paren_fail" ]; then
printf 'pre-commit: paren check failed:\n\n%s' "$paren_fail" >&2
exit 1
fi
fi
exit 0
|
