46 lines
1.0 KiB
Markdown
46 lines
1.0 KiB
Markdown
# Git Hooks / Secret Scan
|
|
|
|
This repo uses a lightweight local pre-commit hook for obvious secret hygiene.
|
|
|
|
## What it does
|
|
|
|
On `git commit`, the hook runs:
|
|
- `scripts/scan-secrets.sh`
|
|
|
|
The scanner checks **staged content** for a small set of high-signal patterns, including:
|
|
- private key blocks
|
|
- common cloud/API token formats
|
|
- suspicious inline assignments like `TOKEN=...` or `PASSWORD: ...`
|
|
|
|
It is intentionally conservative and lightweight.
|
|
|
|
## Why this exists
|
|
|
|
Goal: catch obvious mistakes before they land in git.
|
|
|
|
It is **not** meant to be a full secret management or DLP system.
|
|
|
|
## Configuration
|
|
|
|
This repo uses a repo-local hooks path:
|
|
- `.githooks/`
|
|
|
|
Configured via:
|
|
```bash
|
|
git config core.hooksPath .githooks
|
|
```
|
|
|
|
## Bypass
|
|
|
|
If the scanner throws a false positive, you can bypass it once with:
|
|
```bash
|
|
git commit --no-verify
|
|
```
|
|
|
|
Use that sparingly and only after reviewing the staged diff.
|
|
|
|
## Maintenance
|
|
|
|
If the scanner is too noisy, tighten patterns.
|
|
If it misses obvious mistakes, add narrowly targeted patterns rather than broad generic ones.
|