1 files changed, 48 insertions, 0 deletions

diff --git a/languages/bash/githooks/pre-commit b/languages/bash/githooks/pre-commit
new file mode 100755
index 0000000..e41c41c
--- /dev/null
+++ b/languages/bash/githooks/pre-commit
@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# Pre-commit hook: secret scan + shellcheck on staged shell files.
+# Use `git commit --no-verify` to bypass for confirmed false positives.
+
+set -u
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+cd "$REPO_ROOT" || exit 1
+
+# --- 1. Secret scan ---
+# Patterns for common credentials. Scans only added lines in the staged diff.
+SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])'
+
+secret_hits="$(git diff --cached -U0 --diff-filter=AM \
+  | grep '^+' | grep -v '^+++' \
+  | grep -iEn "$SECRET_PATTERNS" || true)"
+
+if [ -n "$secret_hits" ]; then
+  echo "pre-commit: potential secret in staged changes:" >&2
+  echo "$secret_hits" >&2
+  echo "" >&2
+  echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2
+  echo "bypass with: git commit --no-verify" >&2
+  exit 1
+fi
+
+# --- 2. shellcheck on staged .sh / .bash files ---
+staged_sh="$(git diff --cached --name-only --diff-filter=AM \
+  | grep -E '\.(sh|bash)$' || true)"
+
+if [ -n "$staged_sh" ] && command -v shellcheck >/dev/null 2>&1; then
+  failed=""
+  while IFS= read -r f; do
+    [ -z "$f" ] && continue
+    [ -f "$f" ] || continue
+    if ! shellcheck "$f" >/dev/null 2>&1; then
+      failed="${failed}${f}"$'\n'
+    fi
+  done <<< "$staged_sh"
+
+  if [ -n "$failed" ]; then
+    printf 'pre-commit: shellcheck failed on staged files:\n\n%s\n' "$failed" >&2
+    echo "Run: shellcheck <file> and fix the findings, then re-stage." >&2
+    exit 1
+  fi
+fi
+
+exit 0