pyr0ball
d8fb9eb5f6
- Quote $CONFIG_ARG in pre-commit and pre-push to prevent word-splitting on paths with spaces or special characters - Add `git rev-parse HEAD` guard in pre-push so gitleaks is skipped on repos with no commits yet (gitleaks git exits non-zero on empty history) - Expand pre-push header comment to document the empty-repo skip and note the full-history scan tradeoff for large repos
25 lines
920 B
Bash
Executable file
25 lines
920 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# pre-commit — scan staged diff for secrets + PII via gitleaks
|
|
set -euo pipefail
|
|
|
|
HOOKS_REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
|
BASE_CONFIG="$HOOKS_REPO/gitleaks.toml"
|
|
REPO_ROOT="$(git rev-parse --show-toplevel)"
|
|
REPO_CONFIG="$REPO_ROOT/.gitleaks.toml"
|
|
|
|
if ! command -v gitleaks &>/dev/null; then
|
|
echo "ERROR: gitleaks not found. Install with: sudo apt-get install gitleaks"
|
|
echo " or: https://github.com/gitleaks/gitleaks#installing"
|
|
exit 1
|
|
fi
|
|
|
|
CONFIG_ARG="--config=$BASE_CONFIG"
|
|
[[ -f "$REPO_CONFIG" ]] && CONFIG_ARG="--config=$REPO_CONFIG"
|
|
|
|
if ! gitleaks protect --staged "$CONFIG_ARG" --redact 2>&1; then
|
|
echo ""
|
|
echo "Commit blocked: secrets or PII detected in staged changes."
|
|
echo "Review above, remove the sensitive value, then re-stage and retry."
|
|
echo "If this is a false positive, add an allowlist entry to .gitleaks.toml"
|
|
exit 1
|
|
fi
|