pyr0ball
d8fb9eb5f6
- Quote $CONFIG_ARG in pre-commit and pre-push to prevent word-splitting on paths with spaces or special characters - Add `git rev-parse HEAD` guard in pre-push so gitleaks is skipped on repos with no commits yet (gitleaks git exits non-zero on empty history) - Expand pre-push header comment to document the empty-repo skip and note the full-history scan tradeoff for large repos
30 lines
1.1 KiB
Bash
Executable file
30 lines
1.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# pre-push — scan full branch history not yet on remote
|
|
# Safety net: catches secrets in full branch history.
|
|
# Skips on empty repos (no commits yet). For large repos this scans all history — acceptable
|
|
# for CircuitForge repo sizes; switch to range scanning if it becomes slow.
|
|
set -euo pipefail
|
|
|
|
HOOKS_REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
BASE_CONFIG="$HOOKS_REPO/gitleaks.toml"
|
|
REPO_ROOT="$(git rev-parse --show-toplevel)"
|
|
REPO_CONFIG="$REPO_ROOT/.gitleaks.toml"
|
|
|
|
if ! command -v gitleaks &>/dev/null; then
|
|
echo "ERROR: gitleaks not found. Install with: sudo apt-get install gitleaks"
|
|
exit 1
|
|
fi
|
|
|
|
CONFIG_ARG="--config=$BASE_CONFIG"
|
|
[[ -f "$REPO_CONFIG" ]] && CONFIG_ARG="--config=$REPO_CONFIG"
|
|
|
|
# Skip scan on empty repo (no commits yet) — gitleaks git exits non-zero with nothing to scan
|
|
git rev-parse HEAD &>/dev/null || exit 0
|
|
|
|
if ! gitleaks git "$CONFIG_ARG" --redact 2>&1; then
|
|
echo ""
|
|
echo "Push blocked: secrets or PII found in branch history."
|
|
echo "Use git-filter-repo to scrub, then force-push."
|
|
echo "See: https://github.com/newren/git-filter-repo"
|
|
exit 1
|
|
fi
|