#!/bin/sh # Gitleaks pre-commit hook # Scans staged files for secrets before allowing commit echo "🔒 Scanning staged files for secrets..." if ! command -v gitleaks > /dev/null 2>&1; then echo "" echo "❌ gitleaks is not installed!" echo "" echo "Install gitleaks to enable secret scanning:" echo " macOS: brew install gitleaks" echo " Linux: See https://github.com/gitleaks/gitleaks#installing" echo "" echo "Secret scanning is REQUIRED to prevent credential leaks." echo "Commit blocked until gitleaks is installed." echo "" exit 1 fi # Run gitleaks on staged files only gitleaks protect --staged --verbose if [ $? -ne 0 ]; then echo "" echo "❌ Secret(s) detected in staged files!" echo "" echo "To fix:" echo " 1. Remove the secret from the file" echo " 2. Use environment variables instead: \${SECRET_NAME}" echo " 3. Add to .env.local (which is in .gitignore)" echo " 4. Update agent-orchestrator.yaml.example with placeholder values" echo "" echo "If this is a false positive, update .gitleaks.toml allowlist" echo "" exit 1 fi echo "✅ No secrets detected"