zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-03-31 06:03:29 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
55801750e864b855d97763a5555015f1e1c5006e
everything-claude-code/scripts/codex-git-hooks/pre-commit
Tom Green 5bd183f4a7 feat: add Codex CLI customization scripts (#336) 
* chore(codex): add global ecc sync script and pnpm mcp config

* chore(codex): include codex supplement when syncing agents

* feat(codex): add global git safety hooks and QA/rule prompt packs

* feat(codex): add global regression sanity check command

---------

Co-authored-by: TGreen87 <your-email@example.com>
2026-03-16 14:02:40 -07:00

78 lines
2.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# ECC Codex Git Hook: pre-commit
# Blocks commits that add high-signal secrets.
if [[ "${ECC_SKIP_GIT_HOOKS:-0}" == "1" || "${ECC_SKIP_PRECOMMIT:-0}" == "1" ]]; then
exit 0
fi
if [[ -f ".ecc-hooks-disable" || -f ".git/ecc-hooks-disable" ]]; then
exit 0
fi
if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
exit 0
fi
staged_files="$(git diff --cached --name-only --diff-filter=ACMR || true)"
if [[ -z "$staged_files" ]]; then
exit 0
fi
has_findings=0
scan_added_lines() {
local file="$1"
local name="$2"
local regex="$3"
local added_lines
local hits
added_lines="$(git diff --cached -U0 -- "$file" | awk '/^\+\+\+ /{next} /^\+/{print substr($0,2)}')"
if [[ -z "$added_lines" ]]; then
return 0
fi
if hits="$(printf '%s\n' "$added_lines" | rg -n --pcre2 "$regex" 2>/dev/null)"; then
printf '\n[ECC pre-commit] Potential secret detected (%s) in %s\n' "$name" "$file" >&2
printf '%s\n' "$hits" | head -n 3 >&2
has_findings=1
fi
}
while IFS= read -r file; do
[[ -z "$file" ]] && continue
case "$file" in
*.png|*.jpg|*.jpeg|*.gif|*.svg|*.pdf|*.zip|*.gz|*.lock|pnpm-lock.yaml|package-lock.json|yarn.lock|bun.lockb)
continue
;;
esac
scan_added_lines "$file" "OpenAI key" 'sk-[A-Za-z0-9]{20,}'
scan_added_lines "$file" "GitHub classic token" 'ghp_[A-Za-z0-9]{36}'
scan_added_lines "$file" "GitHub fine-grained token" 'github_pat_[A-Za-z0-9_]{20,}'
scan_added_lines "$file" "AWS access key" 'AKIA[0-9A-Z]{16}'
scan_added_lines "$file" "private key block" '-----BEGIN (RSA|EC|OPENSSH|DSA|PRIVATE) KEY-----'
scan_added_lines "$file" "generic credential assignment" "(?i)\\b(api[_-]?key|secret|password|token)\\b\\s*[:=]\\s*['\\\"][^'\\\"]{12,}['\\\"]"
done <<< "$staged_files"
if [[ "$has_findings" -eq 1 ]]; then
cat >&2 <<'EOF'
[ECC pre-commit] Commit blocked to prevent secret leakage.
Fix:
1) Remove secrets from staged changes.
2) Move secrets to env vars or secret manager.
3) Re-stage and commit again.
Temporary bypass (not recommended):
ECC_SKIP_PRECOMMIT=1 git commit ...
EOF
exit 1
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink