vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-28 11:30:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/.husky/pre-commit
rcourtman 07afa94d19 feat(security): add gitleaks secret scanning to pre-commit hook and CI 
Add three layers of secret leak prevention:

1. .gitleaks.toml — config extending the default ruleset (~150 rules for
   AWS, GCP, Stripe, OpenAI, private keys, JWTs, etc.) with allowlists
   tuned to suppress false positives from test fixtures and docs.

2. .husky/pre-commit — enhanced with gitleaks protect --staged (graceful
   skip if not installed), sensitive file type blocking (.pem, .key, .enc,
   id_rsa, etc.), and broadened fallback patterns covering AWS, OpenAI,
   GCP, and private key headers alongside existing Stripe checks.

3. .github/workflows/build-and-test.yml — new secret-scan CI job using
   gitleaks-action that runs in parallel with build on every push/PR,
   serving as the last gate if someone bypasses local hooks.
2026-02-04 09:52:54 +00:00

86 lines
3.2 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"
# Pre-commit hook to prevent committing restricted or sensitive data
RESTRICTED_FILES="active_subs.json charges.json customers.json subscriptions.json"
echo "Running sensitivity check..."
for file in $RESTRICTED_FILES; do
if git diff --cached --name-only | grep -q "^${file}$"; then
echo "BLOCKED: restricted file pattern matched: ${file}"
exit 1
fi
done
# Block sensitive file types from ever being committed
SENSITIVE_EXTENSIONS="\.pem$|\.p12$|\.pfx$|\.key$|\.keystore$|\.jks$|\.enc$|id_rsa$|id_ed25519$|id_ecdsa$"
if git diff --cached --name-only | grep -qE "$SENSITIVE_EXTENSIONS"; then
echo "BLOCKED: sensitive file type staged for commit:"
git diff --cached --name-only | grep -E "$SENSITIVE_EXTENSIONS"
echo "If this is intentional (e.g. a template), use: git commit --no-verify"
exit 1
fi
# Gitleaks: comprehensive secret scanning (gracefully skips if not installed)
if command -v gitleaks >/dev/null 2>&1; then
echo "Running gitleaks secret scan..."
if ! gitleaks protect --staged --config .gitleaks.toml --no-banner 2>/dev/null; then
echo "BLOCKED: gitleaks detected secrets in staged changes."
echo "Run 'gitleaks protect --staged --verbose' for details."
exit 1
fi
echo "Gitleaks scan passed."
else
# Fallback: broader pattern check when gitleaks is not installed
# Covers Stripe, AWS, GCP, OpenAI, private keys, and generic high-entropy tokens
STAGED_DIFF=$(git diff --cached | grep -E "^\+" | grep -v ".husky/pre-commit" | grep -v "_test\.go")
if echo "$STAGED_DIFF" | grep -qE "(cus_|sub_|ch_|pi_|pm_|sk_live_|sk_test_|rk_live_|rk_test_|whsec_)"; then
echo "WARNING: Potential Stripe identifiers found in staged changes."
echo " Use 'git diff --cached' to review before proceeding."
if [ -t 0 ]; then
printf " Proceed anyway? (y/N): "
read REPLY < /dev/tty
echo
if [ "$REPLY" != "y" ] && [ "$REPLY" != "Y" ]; then
exit 1
fi
else
exit 1
fi
fi
if echo "$STAGED_DIFF" | grep -qE "(AKIA[0-9A-Z]{16}|-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----|sk-[a-zA-Z0-9]{20,}|AIza[0-9A-Za-z_-]{35})"; then
echo "BLOCKED: Likely secret detected in staged changes (AWS key, private key, or API key)."
echo " Use 'git diff --cached' to review."
echo " Install gitleaks for more precise scanning: brew install gitleaks"
exit 1
fi
fi
echo "Sensitivity check passed."
# Run Go formatting
echo "Running Go formatter..."
gofmt -w -s .
# Run Go linting (if golangci-lint is available)
if command -v golangci-lint >/dev/null 2>&1; then
echo "Running golangci-lint..."
golangci-lint run ./...
fi
# Run frontend linting (if package.json has lint script)
if [ -f frontend-modern/package.json ]; then
echo "Running frontend linter..."
cd frontend-modern
npm run lint --if-present || true
cd ..
fi
# Re-stage only files that were already staged (to pick up formatter changes)
# This avoids accidentally committing unrelated work-in-progress files
git diff --cached --name-only -z | xargs -0 -r git add
echo "Pre-commit checks passed!"
Reference in a new issue View git blame Copy permalink