maybe good
This commit is contained in:
HotSwapp
116
scripts/git-pre-commit-hook
Executable file
116
scripts/git-pre-commit-hook
Executable file
@@ -0,0 +1,116 @@
|
||||
#!/bin/bash
|
||||
# Pre-commit hook for Delphi Consulting Group Database System
|
||||
# Prevents committing sensitive files and data
|
||||
#
|
||||
# To install: ln -s ../../scripts/git-pre-commit-hook .git/hooks/pre-commit
|
||||
|
||||
set -e
|
||||
|
||||
# Colors for output
|
||||
RED='\033[0;31m'
|
||||
YELLOW='\033[1;33m'
|
||||
GREEN='\033[0;32m'
|
||||
NC='\033[0m' # No Color
|
||||
|
||||
echo -e "${GREEN}🔍 Running security pre-commit checks...${NC}"
|
||||
|
||||
# Flag to track if any issues found
|
||||
ISSUES_FOUND=0
|
||||
|
||||
# Function to report security issue
|
||||
report_issue() {
|
||||
echo -e "${RED}❌ SECURITY ISSUE: $1${NC}"
|
||||
ISSUES_FOUND=1
|
||||
}
|
||||
|
||||
# Function to report warning
|
||||
report_warning() {
|
||||
echo -e "${YELLOW}⚠️ WARNING: $1${NC}"
|
||||
}
|
||||
|
||||
# Check for .env files
|
||||
if git diff --cached --name-only | grep -E "\.env$|\.env\." > /dev/null; then
|
||||
report_issue "Environment files (.env) contain secrets and should not be committed!"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "\.env$|\.env\.")"
|
||||
fi
|
||||
|
||||
# Check for database files
|
||||
if git diff --cached --name-only | grep -E "\.(db|sqlite|sqlite3)$" > /dev/null; then
|
||||
report_issue "Database files contain sensitive data and should not be committed!"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "\.(db|sqlite|sqlite3)$")"
|
||||
fi
|
||||
|
||||
# Check for backup files
|
||||
if git diff --cached --name-only | grep -E "\.(backup|bak|dump)$|backups/" > /dev/null; then
|
||||
report_issue "Backup files may contain sensitive data and should not be committed!"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "\.(backup|bak|dump)$|backups/")"
|
||||
fi
|
||||
|
||||
# Check for SSL certificates and keys
|
||||
if git diff --cached --name-only | grep -E "\.(pem|key|crt|cert|p12|pfx)$" > /dev/null; then
|
||||
report_issue "SSL certificates and private keys should not be committed!"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "\.(pem|key|crt|cert|p12|pfx)$")"
|
||||
fi
|
||||
|
||||
# Check for upload directories
|
||||
if git diff --cached --name-only | grep -E "uploads/|user-uploads/" > /dev/null; then
|
||||
report_issue "Upload directories may contain sensitive user documents!"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "uploads/|user-uploads/")"
|
||||
fi
|
||||
|
||||
# Check for local configuration files
|
||||
if git diff --cached --name-only | grep -E "\-local\.|config\.local|settings\.local" > /dev/null; then
|
||||
report_warning "Local configuration files detected - ensure they don't contain secrets"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "\-local\.|config\.local|settings\.local")"
|
||||
fi
|
||||
|
||||
# Check for common secret patterns in staged files
|
||||
SECRET_PATTERNS=(
|
||||
"password\s*=\s*['\"][^'\"]+['\"]"
|
||||
"api_key\s*=\s*['\"][^'\"]+['\"]"
|
||||
"secret_key\s*=\s*['\"][^'\"]+['\"]"
|
||||
"token\s*=\s*['\"][^'\"]+['\"]"
|
||||
"-----BEGIN (RSA )?PRIVATE KEY-----"
|
||||
"-----BEGIN CERTIFICATE-----"
|
||||
)
|
||||
|
||||
for pattern in "${SECRET_PATTERNS[@]}"; do
|
||||
if git diff --cached | grep -qiE "$pattern"; then
|
||||
report_warning "Potential secret detected in staged changes"
|
||||
echo " Pattern: $pattern"
|
||||
echo " Review your changes carefully!"
|
||||
fi
|
||||
done
|
||||
|
||||
# Check for large files (may be database dumps or uploads)
|
||||
LARGE_FILES=$(git diff --cached --name-only | xargs -I {} stat -f%z {} 2>/dev/null | awk '$1 > 1048576 {count++} END {print count+0}')
|
||||
if [ "$LARGE_FILES" -gt 0 ]; then
|
||||
report_warning "$LARGE_FILES large files detected (>1MB) - ensure they're not sensitive data"
|
||||
fi
|
||||
|
||||
# Check for Python cache files (should be in .gitignore but double-check)
|
||||
if git diff --cached --name-only | grep -E "__pycache__|\.pyc$" > /dev/null; then
|
||||
report_warning "Python cache files detected - these should be in .gitignore"
|
||||
echo " Files: $(git diff --cached --name-only | grep -E "__pycache__|\.pyc$")"
|
||||
fi
|
||||
|
||||
# If any security issues found, prevent commit
|
||||
if [ $ISSUES_FOUND -eq 1 ]; then
|
||||
echo -e "${RED}🚫 COMMIT BLOCKED: Security issues detected!${NC}"
|
||||
echo ""
|
||||
echo "To fix:"
|
||||
echo "1. Remove sensitive files from staging: git reset HEAD <filename>"
|
||||
echo "2. Add files to .gitignore if needed"
|
||||
echo "3. Use environment variables for secrets"
|
||||
echo "4. Run: python scripts/setup-security.py for proper configuration"
|
||||
echo ""
|
||||
echo "To bypass this check (NOT RECOMMENDED): git commit --no-verify"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Show summary
|
||||
echo -e "${GREEN}✅ Pre-commit security checks passed!${NC}"
|
||||
echo "📝 Staged files: $(git diff --cached --name-only | wc -l)"
|
||||
|
||||
# Success - allow commit to proceed
|
||||
exit 0
|
||||
Reference in New Issue
Block a user