Add lightweight pre-commit secret scanning

2026-03-28 00:20:48 +00:00
parent 1b339d5bce
commit 13459daf7a
4 changed files with 131 additions and 0 deletions
--- a/docs/git-hooks.md
+++ b/docs/git-hooks.md
@@ -0,0 +1,45 @@
+# Git Hooks / Secret Scan
+
+This repo uses a lightweight local pre-commit hook for obvious secret hygiene.
+
+## What it does
+
+On `git commit`, the hook runs:
+- `scripts/scan-secrets.sh`
+
+The scanner checks **staged content** for a small set of high-signal patterns, including:
+- private key blocks
+- common cloud/API token formats
+- suspicious inline assignments like `TOKEN=...` or `PASSWORD: ...`
+
+It is intentionally conservative and lightweight.
+
+## Why this exists
+
+Goal: catch obvious mistakes before they land in git.
+
+It is **not** meant to be a full secret management or DLP system.
+
+## Configuration
+
+This repo uses a repo-local hooks path:
+- `.githooks/`
+
+Configured via:
+```bash
+git config core.hooksPath .githooks
+```
+
+## Bypass
+
+If the scanner throws a false positive, you can bypass it once with:
+```bash
+git commit --no-verify
+```
+
+Use that sparingly and only after reviewing the staged diff.
+
+## Maintenance
+
+If the scanner is too noisy, tighten patterns.
+If it misses obvious mistakes, add narrowly targeted patterns rather than broad generic ones.