tiamak/salvium-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e3af07b1ebab015494c5594a7b5ec65dcfd4d277
salvium-rs/.githooks/pre-commit
T
Matt Hess e3af07b1eb Add fmt + clippy CI checks to pre-commit hook 
- Integrate cargo fmt --check and clippy -Dwarnings into .githooks/pre-commit
  - Matches CI's RUSTFLAGS="-Dwarnings" to catch issues before push
  - Runs before existing secret detection checks
2026-02-25 19:02:06 +00:00

110 lines
3.7 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Pre-commit hook:
# 1. cargo fmt --check (matches CI)
# 2. cargo clippy -Dwarnings (matches CI RUSTFLAGS)
# 3. Secret detection (mnemonic phrases, hex keys)
#
# Skip with: git commit --no-verify
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m'
# ── Rust CI checks ──────────────────────────────────────────────────
echo -e "${YELLOW}pre-commit: checking formatting...${NC}"
if ! cargo fmt --all -- --check 2>/dev/null; then
echo -e "${RED}FAILED:${NC} cargo fmt --all -- --check"
echo -e "Run ${GREEN}cargo fmt --all${NC} to fix, then re-stage and commit."
exit 1
fi
echo -e "${YELLOW}pre-commit: running clippy (-Dwarnings)...${NC}"
if ! RUSTFLAGS="-Dwarnings" cargo clippy --workspace --all-targets 2>&1; then
echo -e "${RED}FAILED:${NC} cargo clippy --workspace --all-targets"
exit 1
fi
echo -e "${GREEN}pre-commit: fmt + clippy passed${NC}"
# ── Secret detection ────────────────────────────────────────────────
echo "Checking for potential secrets..."
# Patterns to detect
PATTERNS=(
# 25-word mnemonic phrases (not obviously fake like "bacon bacon...")
'[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+'
)
# Allowed fake test patterns (same word repeated)
ALLOWED_PATTERNS=(
"bacon bacon bacon"
"abbey abbey abbey"
"test test test"
"word word word"
)
# Get staged files
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(js|ts|json|md|env)$')
if [ -z "$STAGED_FILES" ]; then
exit 0
fi
FOUND_SECRETS=0
for file in $STAGED_FILES; do
# Skip wordlist files
if [[ "$file" == *"wordlist"* ]]; then
continue
fi
# Check for potential 25-word phrases
MATCHES=$(git diff --cached "$file" | grep -E "^\+" | grep -oE "'[a-z]+ [a-z]+ [a-z]+ [a-z]+ [a-z]+[^']*'" | head -5)
for match in $MATCHES; do
# Check if it's an allowed fake pattern
IS_ALLOWED=0
for allowed in "${ALLOWED_PATTERNS[@]}"; do
if echo "$match" | grep -q "$allowed"; then
IS_ALLOWED=1
break
fi
done
# If not allowed and looks like 25 words, flag it
if [ $IS_ALLOWED -eq 0 ]; then
WORD_COUNT=$(echo "$match" | tr -cd ' ' | wc -c)
if [ "$WORD_COUNT" -ge 20 ]; then
echo "WARNING: Potential mnemonic in $file"
echo " $match"
FOUND_SECRETS=1
fi
fi
done
# Check for 64-char hex that looks like a key (not all zeros/ones/test patterns)
HEX_MATCHES=$(git diff --cached "$file" | grep -E "^\+" | grep -oE "['\"][a-f0-9]{64}['\"]" | grep -v "0000000000" | grep -v "ffffffff" | grep -v "01234567" | grep -v "f5f5f5f5" | head -5)
for hex in $HEX_MATCHES; do
# Check if it's in a test file with TEST_ prefix nearby
if ! grep -B2 "$hex" "$file" 2>/dev/null | grep -qE "TEST_|test_|const test|// test"; then
echo "WARNING: Potential secret key in $file"
echo " $hex"
FOUND_SECRETS=1
fi
done
done
if [ $FOUND_SECRETS -eq 1 ]; then
echo ""
echo "Potential secrets detected! Review carefully before committing."
echo "If these are intentional test values, you can bypass with: git commit --no-verify"
echo ""
# Warning only - don't block (use exit 1 to block)
exit 0
fi
echo "No secrets detected."
exit 0
Reference in New Issue View Git Blame Copy Permalink