agent-orchestrator/.husky/pre-commit

41 lines
1.1 KiB
Bash
Executable File

#!/bin/sh
# Gitleaks pre-commit hook
# Scans staged files for secrets before allowing commit
echo "🔒 Scanning staged files for secrets..."
if ! command -v gitleaks > /dev/null 2>&1; then
echo ""
echo "❌ gitleaks is not installed!"
echo ""
echo "Install gitleaks to enable secret scanning:"
echo " macOS: brew install gitleaks"
echo " Linux: See https://github.com/gitleaks/gitleaks#installing"
echo ""
echo "Secret scanning is REQUIRED to prevent credential leaks."
echo "Commit blocked until gitleaks is installed."
echo ""
exit 1
fi
# Run gitleaks on staged files only
gitleaks protect --staged --verbose
if [ $? -ne 0 ]; then
echo ""
echo "❌ Secret(s) detected in staged files!"
echo ""
echo "To fix:"
echo " 1. Remove the secret from the file"
echo " 2. Use environment variables instead: \${SECRET_NAME}"
echo " 3. Add to .env.local (which is in .gitignore)"
echo " 4. Update agent-orchestrator.yaml.example with placeholder values"
echo ""
echo "If this is a false positive, update .gitleaks.toml allowlist"
echo ""
exit 1
fi
echo "✅ No secrets detected"