# Git Hooks / Secret Scan

This repo uses a lightweight local pre-commit hook for obvious secret hygiene.

## What it does

On `git commit`, the hook runs:
- `scripts/scan-secrets.sh`

The scanner checks **staged content** for a small set of high-signal patterns, including:
- private key blocks
- common cloud/API token formats
- suspicious inline assignments like `TOKEN=...` or `PASSWORD: ...`

It is intentionally conservative and lightweight.

## Why this exists

Goal: catch obvious mistakes before they land in git.

It is **not** meant to be a full secret management or DLP system.

## Configuration

This repo uses a repo-local hooks path:
- `.githooks/`

Configured via:
```bash
git config core.hooksPath .githooks
```

## Bypass

If the scanner throws a false positive, you can bypass it once with:
```bash
git commit --no-verify
```

Use that sparingly and only after reviewing the staged diff.

## Maintenance

If the scanner is too noisy, tighten patterns.
If it misses obvious mistakes, add narrowly targeted patterns rather than broad generic ones.