41 lines
1.1 KiB
Bash
Executable File
41 lines
1.1 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# Gitleaks pre-commit hook
|
|
# Scans staged files for secrets before allowing commit
|
|
|
|
echo "🔒 Scanning staged files for secrets..."
|
|
|
|
if ! command -v gitleaks > /dev/null 2>&1; then
|
|
echo ""
|
|
echo "❌ gitleaks is not installed!"
|
|
echo ""
|
|
echo "Install gitleaks to enable secret scanning:"
|
|
echo " macOS: brew install gitleaks"
|
|
echo " Linux: See https://github.com/gitleaks/gitleaks#installing"
|
|
echo ""
|
|
echo "Secret scanning is REQUIRED to prevent credential leaks."
|
|
echo "Commit blocked until gitleaks is installed."
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
|
|
# Run gitleaks on staged files only
|
|
gitleaks protect --staged --verbose
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo ""
|
|
echo "❌ Secret(s) detected in staged files!"
|
|
echo ""
|
|
echo "To fix:"
|
|
echo " 1. Remove the secret from the file"
|
|
echo " 2. Use environment variables instead: \${SECRET_NAME}"
|
|
echo " 3. Add to .env.local (which is in .gitignore)"
|
|
echo " 4. Update agent-orchestrator.yaml.example with placeholder values"
|
|
echo ""
|
|
echo "If this is a false positive, update .gitleaks.toml allowlist"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
|
|
echo "✅ No secrets detected"
|