#!/bin/bash # Pre-commit hook for Delphi Consulting Group Database System # Prevents committing sensitive files and data # # To install: ln -s ../../scripts/git-pre-commit-hook .git/hooks/pre-commit set -e # Colors for output RED='\033[0;31m' YELLOW='\033[1;33m' GREEN='\033[0;32m' NC='\033[0m' # No Color echo -e "${GREEN}🔍 Running security pre-commit checks...${NC}" # Flag to track if any issues found ISSUES_FOUND=0 # Function to report security issue report_issue() { echo -e "${RED}❌ SECURITY ISSUE: $1${NC}" ISSUES_FOUND=1 } # Function to report warning report_warning() { echo -e "${YELLOW}⚠️ WARNING: $1${NC}" } # Check for .env files if git diff --cached --name-only | grep -E "\.env$|\.env\." > /dev/null; then report_issue "Environment files (.env) contain secrets and should not be committed!" echo " Files: $(git diff --cached --name-only | grep -E "\.env$|\.env\.")" fi # Check for database files if git diff --cached --name-only | grep -E "\.(db|sqlite|sqlite3)$" > /dev/null; then report_issue "Database files contain sensitive data and should not be committed!" echo " Files: $(git diff --cached --name-only | grep -E "\.(db|sqlite|sqlite3)$")" fi # Check for backup files if git diff --cached --name-only | grep -E "\.(backup|bak|dump)$|backups/" > /dev/null; then report_issue "Backup files may contain sensitive data and should not be committed!" echo " Files: $(git diff --cached --name-only | grep -E "\.(backup|bak|dump)$|backups/")" fi # Check for SSL certificates and keys if git diff --cached --name-only | grep -E "\.(pem|key|crt|cert|p12|pfx)$" > /dev/null; then report_issue "SSL certificates and private keys should not be committed!" echo " Files: $(git diff --cached --name-only | grep -E "\.(pem|key|crt|cert|p12|pfx)$")" fi # Check for upload directories if git diff --cached --name-only | grep -E "uploads/|user-uploads/" > /dev/null; then report_issue "Upload directories may contain sensitive user documents!" echo " Files: $(git diff --cached --name-only | grep -E "uploads/|user-uploads/")" fi # Check for local configuration files if git diff --cached --name-only | grep -E "\-local\.|config\.local|settings\.local" > /dev/null; then report_warning "Local configuration files detected - ensure they don't contain secrets" echo " Files: $(git diff --cached --name-only | grep -E "\-local\.|config\.local|settings\.local")" fi # Check for common secret patterns in staged files SECRET_PATTERNS=( "password\s*=\s*['\"][^'\"]+['\"]" "api_key\s*=\s*['\"][^'\"]+['\"]" "secret_key\s*=\s*['\"][^'\"]+['\"]" "token\s*=\s*['\"][^'\"]+['\"]" "-----BEGIN (RSA )?PRIVATE KEY-----" "-----BEGIN CERTIFICATE-----" ) for pattern in "${SECRET_PATTERNS[@]}"; do if git diff --cached | grep -qiE "$pattern"; then report_warning "Potential secret detected in staged changes" echo " Pattern: $pattern" echo " Review your changes carefully!" fi done # Check for large files (may be database dumps or uploads) LARGE_FILES=$(git diff --cached --name-only | xargs -I {} stat -f%z {} 2>/dev/null | awk '$1 > 1048576 {count++} END {print count+0}') if [ "$LARGE_FILES" -gt 0 ]; then report_warning "$LARGE_FILES large files detected (>1MB) - ensure they're not sensitive data" fi # Check for Python cache files (should be in .gitignore but double-check) if git diff --cached --name-only | grep -E "__pycache__|\.pyc$" > /dev/null; then report_warning "Python cache files detected - these should be in .gitignore" echo " Files: $(git diff --cached --name-only | grep -E "__pycache__|\.pyc$")" fi # If any security issues found, prevent commit if [ $ISSUES_FOUND -eq 1 ]; then echo -e "${RED}🚫 COMMIT BLOCKED: Security issues detected!${NC}" echo "" echo "To fix:" echo "1. Remove sensitive files from staging: git reset HEAD " echo "2. Add files to .gitignore if needed" echo "3. Use environment variables for secrets" echo "4. Run: python scripts/setup-security.py for proper configuration" echo "" echo "To bypass this check (NOT RECOMMENDED): git commit --no-verify" exit 1 fi # Show summary echo -e "${GREEN}✅ Pre-commit security checks passed!${NC}" echo "📝 Staged files: $(git diff --cached --name-only | wc -l)" # Success - allow commit to proceed exit 0