aboutsummaryrefslogtreecommitdiff
path: root/languages/go/githooks/pre-commit
blob: a6297c8a2a8d1e567f20999e0ec7134827c863db (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/env bash
# Pre-commit hook: secret scan + gofmt check on staged .go files.
# Use `git commit --no-verify` to bypass for confirmed false positives.

set -u

REPO_ROOT="$(git rev-parse --show-toplevel)"
cd "$REPO_ROOT"

# --- 1. Secret scan ---
# Patterns for common credentials. Scans only added lines in the staged diff.
#
# Two passes because case-sensitivity differs. AWS keys are uppercase, sk- keys
# lowercase, PEM headers fixed, so those match case-SENSITIVELY: under -i,
# AKIA[0-9A-Z]{16} matches any mixed-case 20-char run, which random base64 in an
# embedded image blob hits ~6% of the time per 100KB and blocks real commits.
# Only the keyword=value patterns need -i.
SECRET_PATTERNS_CS='(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9_-]{20,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP)( PRIVATE)?( KEY| KEY BLOCK)?-----)'
SECRET_PATTERNS_CI='(api[_-]?key|api[_-]?secret|auth[_-]?token|secret[_-]?key|bearer[_-]?token|access[_-]?token|password)[[:space:]]*[:=][[:space:]]*["'"'"'][^"'"'"']{16,}["'"'"']'

added_lines="$(git diff --cached -U0 --diff-filter=AM \
  | grep '^+' | grep -v '^+++' || true)"

cs_hits="$(printf '%s\n' "$added_lines" | grep -nE  "$SECRET_PATTERNS_CS" || true)"
ci_hits="$(printf '%s\n' "$added_lines" | grep -niE "$SECRET_PATTERNS_CI" || true)"
# awk dedupes lines both passes matched, keeping first-seen order.
secret_hits="$(printf '%s\n%s' "$cs_hits" "$ci_hits" \
  | grep -v '^[[:space:]]*$' | awk '!seen[$0]++' || true)"

if [ -n "$secret_hits" ]; then
  echo "pre-commit: potential secret in staged changes:" >&2
  echo "$secret_hits" >&2
  echo "" >&2
  echo "Review the lines above. If this is a false positive (test fixture, documentation)," >&2
  echo "bypass with: git commit --no-verify" >&2
  exit 1
fi

# --- 2. gofmt check on staged .go files ---
# gofmt -l lists files that aren't gofmt-clean. Skip generated and vendored
# files the same way the rest of the toolchain does.
staged_go="$(git diff --cached --name-only --diff-filter=AM \
  | grep '\.go$' \
  | grep -vE '(^|/)vendor/' || true)"

if [ -n "$staged_go" ] && command -v gofmt >/dev/null 2>&1; then
  unformatted=""
  while IFS= read -r f; do
    [ -z "$f" ] && continue
    [ -f "$f" ] || continue
    if [ -n "$(gofmt -l "$f" 2>/dev/null)" ]; then
      unformatted="${unformatted}${f}"$'\n'
    fi
  done <<< "$staged_go"

  if [ -n "$unformatted" ]; then
    printf 'pre-commit: gofmt check failed — these files need `gofmt -w`:\n\n%s\n' "$unformatted" >&2
    echo "Run: gofmt -w <file> (or your editor's format-on-save), then re-stage." >&2
    exit 1
  fi
fi

exit 0