Add pre-commit hook to detect secrets

Blocks commits containing:
- Private key file headers (RSA/EC/DSA/OPENSSH)
- Plaintext passwords/tokens ≥16 chars
- Gitea/GitHub-style hex tokens
- Files with private key path suffixes (_ed25519, _rsa, etc.)

Allowlisted: Ansible vault variable references ({{ vault_* }}),
encrypted vault blocks ($ANSIBLE_VAULT), and comment lines.

Run scripts/install-hooks.sh after cloning to activate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Adyrem
2026-05-15 20:03:43 +02:00
parent 7ba68de68d
commit e888560175
2 changed files with 117 additions and 0 deletions
+14
View File
@@ -0,0 +1,14 @@
#!/usr/bin/env bash
# Run once after cloning: ./scripts/install-hooks.sh
set -euo pipefail
REPO_ROOT="$(git rev-parse --show-toplevel)"
HOOKS_SRC="$REPO_ROOT/scripts/hooks"
HOOKS_DST="$REPO_ROOT/.git/hooks"
for hook in "$HOOKS_SRC"/*; do
name=$(basename "$hook")
cp "$hook" "$HOOKS_DST/$name"
chmod +x "$HOOKS_DST/$name"
echo "Installed: .git/hooks/$name"
done