Add pre-commit hook to detect secrets
Blocks commits containing:
- Private key file headers (RSA/EC/DSA/OPENSSH)
- Plaintext passwords/tokens ≥16 chars
- Gitea/GitHub-style hex tokens
- Files with private key path suffixes (_ed25519, _rsa, etc.)
Allowlisted: Ansible vault variable references ({{ vault_* }}),
encrypted vault blocks ($ANSIBLE_VAULT), and comment lines.
Run scripts/install-hooks.sh after cloning to activate.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Executable
+14
@@ -0,0 +1,14 @@
|
||||
#!/usr/bin/env bash
|
||||
# Run once after cloning: ./scripts/install-hooks.sh
|
||||
set -euo pipefail
|
||||
|
||||
REPO_ROOT="$(git rev-parse --show-toplevel)"
|
||||
HOOKS_SRC="$REPO_ROOT/scripts/hooks"
|
||||
HOOKS_DST="$REPO_ROOT/.git/hooks"
|
||||
|
||||
for hook in "$HOOKS_SRC"/*; do
|
||||
name=$(basename "$hook")
|
||||
cp "$hook" "$HOOKS_DST/$name"
|
||||
chmod +x "$HOOKS_DST/$name"
|
||||
echo "Installed: .git/hooks/$name"
|
||||
done
|
||||
Reference in New Issue
Block a user