diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-23 21:13:26 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-23 21:13:26 -0400 |
| commit | 36262858461711bcb104896007a513691113fee8 (patch) | |
| tree | 333cc7ea0998c43c2b6af76aa6eeb1ee3d0b0f2c /languages/bash/githooks | |
| parent | 71db71b9d47ffbeaf1d1c859fa3e3bebb7b2ea29 (diff) | |
| download | rulesets-36262858461711bcb104896007a513691113fee8.tar.gz rulesets-36262858461711bcb104896007a513691113fee8.zip | |
feat(languages): add bash/shell bundle
Shell-heavy projects had no bundle that fit. archangel and archsetup are bash repos, and installing elisp or python gave them the wrong language rules. I added languages/bash on the go bundle's shape.
The bundle ships bash.md and bash-testing.md rules, a PostToolUse hook that runs shellcheck on edited shell files and blocks on a violation, a shellcheck pre-commit githook, settings.json wiring, gitignore-add.txt, and a "Bash/shell project" CLAUDE.md. The hook covers .sh, .bash, and extensionless files with a shell shebang, since the CLI tools that fill a shell repo carry no extension. shellcheck is the gate. shfmt stays out of the blocking path because shell has no canonical formatting style, and forcing tabs-vs-spaces would impose a contested choice. Both the hook and the githook are shellcheck-clean against their own rule.
I extended the Makefile test target to discover languages/*/tests/*.bats, so the bundle's 8 hook tests run with the rest of the suite. The README bundle table was stale, listing elisp only. I corrected it to the five bundles now shipping.
Diffstat (limited to 'languages/bash/githooks')
| -rwxr-xr-x | languages/bash/githooks/pre-commit | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/languages/bash/githooks/pre-commit b/languages/bash/githooks/pre-commit new file mode 100755 index 0000000..e41c41c --- /dev/null +++ b/languages/bash/githooks/pre-commit @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# Pre-commit hook: secret scan + shellcheck on staged shell files. +# Use `git commit --no-verify` to bypass for confirmed false positives. + +set -u + +REPO_ROOT="$(git rev-parse --show-toplevel)" +cd "$REPO_ROOT" || exit 1 + +# --- 1. Secret scan --- +# Patterns for common credentials. Scans only added lines in the staged diff. +SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])' + +secret_hits="$(git diff --cached -U0 --diff-filter=AM \ + | grep '^+' | grep -v '^+++' \ + | grep -iEn "$SECRET_PATTERNS" || true)" + +if [ -n "$secret_hits" ]; then + echo "pre-commit: potential secret in staged changes:" >&2 + echo "$secret_hits" >&2 + echo "" >&2 + echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2 + echo "bypass with: git commit --no-verify" >&2 + exit 1 +fi + +# --- 2. shellcheck on staged .sh / .bash files --- +staged_sh="$(git diff --cached --name-only --diff-filter=AM \ + | grep -E '\.(sh|bash)$' || true)" + +if [ -n "$staged_sh" ] && command -v shellcheck >/dev/null 2>&1; then + failed="" + while IFS= read -r f; do + [ -z "$f" ] && continue + [ -f "$f" ] || continue + if ! shellcheck "$f" >/dev/null 2>&1; then + failed="${failed}${f}"$'\n' + fi + done <<< "$staged_sh" + + if [ -n "$failed" ]; then + printf 'pre-commit: shellcheck failed on staged files:\n\n%s\n' "$failed" >&2 + echo "Run: shellcheck <file> and fix the findings, then re-stage." >&2 + exit 1 + fi +fi + +exit 0 |