testsAndMisc/scripts/check_no_secrets.sh

47 lines
1.4 KiB
Bash
Raw Normal View History

#!/bin/bash
# Pre-commit hook: check that no staged file contains a secret pattern.
# Patterns are read from .secret-patterns (one regex per line, # = comment).
set -euo pipefail
PATTERNS_FILE=".secret-patterns"
if [ ! -f "$PATTERNS_FILE" ]; then
# Try finding it relative to the git root
GIT_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || true)"
if [ -n "$GIT_ROOT" ] && [ -f "$GIT_ROOT/$PATTERNS_FILE" ]; then
PATTERNS_FILE="$GIT_ROOT/$PATTERNS_FILE"
else
echo "Warning: $PATTERNS_FILE not found, skipping secret check."
exit 0
fi
fi
found=0
# Build a temp file with non-comment, non-empty patterns
TMPPATTERNS="$(mktemp)"
trap 'rm -f "$TMPPATTERNS"' EXIT
grep -v '^\s*#' "$PATTERNS_FILE" | grep -v '^\s*$' > "$TMPPATTERNS"
if [ ! -s "$TMPPATTERNS" ]; then
echo "No secret patterns defined in $PATTERNS_FILE, skipping."
exit 0
fi
for file in "$@"; do
# Skip binary files
if file --brief --mime-encoding "$file" 2>/dev/null | grep -q binary; then
continue
fi
if grep -En -f "$TMPPATTERNS" "$file" 2>/dev/null; then
echo "^^^ SECRET PATTERN found in: $file"
found=1
fi
done
if [ "$found" -eq 1 ]; then
echo ""
echo "ERROR: Committed files contain secret patterns from $PATTERNS_FILE"
echo "Either remove the sensitive data or update $PATTERNS_FILE if this is a false positive."
exit 1
fi