40 lines
1.1 KiB
Bash
Executable File
40 lines
1.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Install git hooks for this project
|
|
set -e
|
|
|
|
HOOK_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
|
|
mkdir -p "$HOOK_DIR"
|
|
|
|
# --- pre-commit hook: secret scanning with gitleaks ---
|
|
cat > "$HOOK_DIR/pre-commit" << 'HOOK'
|
|
#!/bin/bash
|
|
# Pre-commit hook — scans staged files for secrets using gitleaks
|
|
|
|
if ! command -v gitleaks >/dev/null 2>&1; then
|
|
echo ""
|
|
echo "⚠️ gitleaks is not installed — skipping secret scan"
|
|
echo " Install: brew install gitleaks (macOS)"
|
|
echo " Or: curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_\$(uname -s)_\$(uname -m).tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
|
|
echo ""
|
|
exit 0
|
|
fi
|
|
|
|
echo "🔒 Scanning for secrets..."
|
|
|
|
if gitleaks protect --staged --no-banner 2>/dev/null; then
|
|
echo "✅ No secrets detected"
|
|
exit 0
|
|
else
|
|
echo ""
|
|
echo "❌ Secrets detected in staged changes — commit blocked"
|
|
echo ""
|
|
echo " Details: gitleaks protect --staged --verbose"
|
|
echo " Bypass: git commit --no-verify"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
HOOK
|
|
|
|
chmod +x "$HOOK_DIR/pre-commit"
|
|
echo "✅ Pre-commit hook installed (.git/hooks/pre-commit)"
|