From d8fb9eb5f6f369457afd599b782b696154e8cd4a Mon Sep 17 00:00:00 2001 From: pyr0ball Date: Sat, 7 Mar 2026 12:40:35 -0800 Subject: [PATCH] fix(hooks): quote CONFIG_ARG, guard pre-push against empty repos - Quote $CONFIG_ARG in pre-commit and pre-push to prevent word-splitting on paths with spaces or special characters - Add `git rev-parse HEAD` guard in pre-push so gitleaks is skipped on repos with no commits yet (gitleaks git exits non-zero on empty history) - Expand pre-push header comment to document the empty-repo skip and note the full-history scan tradeoff for large repos --- hooks/pre-commit | 2 +- hooks/pre-push | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/hooks/pre-commit b/hooks/pre-commit index f797292..5ae490e 100755 --- a/hooks/pre-commit +++ b/hooks/pre-commit @@ -16,7 +16,7 @@ fi CONFIG_ARG="--config=$BASE_CONFIG" [[ -f "$REPO_CONFIG" ]] && CONFIG_ARG="--config=$REPO_CONFIG" -if ! gitleaks protect --staged $CONFIG_ARG --redact 2>&1; then +if ! gitleaks protect --staged "$CONFIG_ARG" --redact 2>&1; then echo "" echo "Commit blocked: secrets or PII detected in staged changes." echo "Review above, remove the sensitive value, then re-stage and retry." diff --git a/hooks/pre-push b/hooks/pre-push index 3cee0db..2c4b601 100755 --- a/hooks/pre-push +++ b/hooks/pre-push @@ -1,6 +1,8 @@ #!/usr/bin/env bash # pre-push — scan full branch history not yet on remote -# Safety net: catches anything committed with --no-verify or before hooks were wired +# Safety net: catches secrets in full branch history. +# Skips on empty repos (no commits yet). For large repos this scans all history — acceptable +# for CircuitForge repo sizes; switch to range scanning if it becomes slow. set -euo pipefail HOOKS_REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" @@ -16,7 +18,10 @@ fi CONFIG_ARG="--config=$BASE_CONFIG" [[ -f "$REPO_CONFIG" ]] && CONFIG_ARG="--config=$REPO_CONFIG" -if ! gitleaks git $CONFIG_ARG --redact 2>&1; then +# Skip scan on empty repo (no commits yet) — gitleaks git exits non-zero with nothing to scan +git rev-parse HEAD &>/dev/null || exit 0 + +if ! gitleaks git "$CONFIG_ARG" --redact 2>&1; then echo "" echo "Push blocked: secrets or PII found in branch history." echo "Use git-filter-repo to scrub, then force-push."