blob: e41c41c00065225e523a9ac774da3e63e1f9f198 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
#!/usr/bin/env bash
# Pre-commit hook: secret scan + shellcheck on staged shell files.
# Use `git commit --no-verify` to bypass for confirmed false positives.
set -u
REPO_ROOT="$(git rev-parse --show-toplevel)"
cd "$REPO_ROOT" || exit 1
# --- 1. Secret scan ---
# Patterns for common credentials. Scans only added lines in the staged diff.
SECRET_PATTERNS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----|(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"'])'
secret_hits="$(git diff --cached -U0 --diff-filter=AM \
| grep '^+' | grep -v '^+++' \
| grep -iEn "$SECRET_PATTERNS" || true)"
if [ -n "$secret_hits" ]; then
echo "pre-commit: potential secret in staged changes:" >&2
echo "$secret_hits" >&2
echo "" >&2
echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2
echo "bypass with: git commit --no-verify" >&2
exit 1
fi
# --- 2. shellcheck on staged .sh / .bash files ---
staged_sh="$(git diff --cached --name-only --diff-filter=AM \
| grep -E '\.(sh|bash)$' || true)"
if [ -n "$staged_sh" ] && command -v shellcheck >/dev/null 2>&1; then
failed=""
while IFS= read -r f; do
[ -z "$f" ] && continue
[ -f "$f" ] || continue
if ! shellcheck "$f" >/dev/null 2>&1; then
failed="${failed}${f}"$'\n'
fi
done <<< "$staged_sh"
if [ -n "$failed" ]; then
printf 'pre-commit: shellcheck failed on staged files:\n\n%s\n' "$failed" >&2
echo "Run: shellcheck <file> and fix the findings, then re-stage." >&2
exit 1
fi
fi
exit 0
|
