From 104c7266a86fa70cd832f746dceacafcec3f1ab6 Mon Sep 17 00:00:00 2001 From: g_it Date: Tue, 10 Feb 2026 22:41:52 +0100 Subject: [PATCH] . --- .checks/pre-push | 175 +++++++++-------------------------------------- 1 file changed, 32 insertions(+), 143 deletions(-) diff --git a/.checks/pre-push b/.checks/pre-push index 537d5d9..b1d8765 100755 --- a/.checks/pre-push +++ b/.checks/pre-push @@ -11,8 +11,11 @@ readonly YELLOW='\033[1;33m' readonly NC='\033[0m' # Paths -readonly REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)" -readonly LOG_DIR="${REPO_ROOT}/.checks/logs" +REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)" +LOG_DIR="${REPO_ROOT}/.checks/logs" + +# Ensure log directory exists +mkdir -p "$LOG_DIR" # Logging functions log_error() { @@ -27,77 +30,58 @@ log_warning() { echo -e "${YELLOW}[WARNING] $*${NC}" } -# Utility function to get scannable files respecting .gitignore -get_scannable_files() { - # Find files that are tracked by git or not ignored - git ls-files --cached --modified --others --exclude-standard -} - -# Gitignore-aware exclusion generator -get_gitignore_excludes() { - local excludes=() - - # Use git ls-files to find ignored files - while IFS= read -r file; do - # Convert file paths to directories for skipping - dir=$(dirname "$file") - excludes+=("--skip-dirs=$dir" "--skip-files=$file") - done < <(git ls-files -o -i --exclude-standard) - - printf '%s\n' "${excludes[@]}" -} - -# Prepare log directory -prepare_log_directory() { - rm -rf "$LOG_DIR" - mkdir -p "$LOG_DIR" -} - # Vulnerability Scanning with Trivy run_trivy_scan() { + # Check if Trivy is installed if ! command -v trivy &>/dev/null; then log_warning "Trivy not installed. Skipping vulnerability scan." return 0 - } + fi + # Ensure we have files to scan local files - mapfile -t files < <(get_scannable_files) + mapfile -t files < <(git ls-files) if [[ ${#files[@]} -eq 0 ]]; then log_warning "No files to scan with Trivy" return 0 - } + fi log_info "Running Trivy vulnerability scan..." - # shellcheck disable=SC2046 - trivy fs "${files[@]}" \ - $(get_gitignore_excludes) \ + + # Run Trivy scan + if ! trivy fs "${files[@]}" \ --exit-code 1 \ --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN \ --no-progress \ - >"$LOG_DIR/trivy.log" 2>&1 || { - log_error "Trivy scan failed. See $LOG_DIR/trivy.log" - return 1 - } + >"$LOG_DIR/trivy.log" 2>&1; then + log_error "Trivy scan failed. See $LOG_DIR/trivy.log" + return 1 + fi } # Secrets Detection with Trufflehog run_trufflehog_scan() { + # Check if Trufflehog and jq are installed if ! (command -v trufflehog &>/dev/null && command -v jq &>/dev/null); then log_warning "TruffleHog or jq not installed. Skipping secrets scan." return 0 - } + fi log_info "Running TruffleHog secrets scan..." local tmpf tmpf="$(mktemp)" - # Use git ls-files to respect .gitignore - git ls-files | xargs trufflehog filesystem \ - --json >"$tmpf" 2>"$LOG_DIR/trufflehog.log" || true + # Scan files + if ! trufflehog filesystem . --json >"$tmpf" 2>"$LOG_DIR/trufflehog.log"; then + log_error "Trufflehog scan failed" + rm -f "$tmpf" + return 1 + fi + # Check for verified secrets local verified - verified="$(jq 'select(.verified==true)' "$tmpf" | wc -l | tr -d ' ')" + verified=$(jq 'select(.verified==true)' "$tmpf" | wc -l | tr -d ' ') if [[ "$verified" -gt 0 ]]; then cp "$tmpf" "$LOG_DIR/trufflehog-findings.json" @@ -109,110 +93,15 @@ run_trufflehog_scan() { rm -f "$tmpf" } -# Git Secrets Check -run_git_secrets_scan() { - if ! command -v git-secrets &>/dev/null; then - log_warning "git-secrets not installed. Skipping git-secrets scan." - return 0 - } - - log_info "Running git-secrets scan..." - git-secrets --scan >"$LOG_DIR/git-secrets.log" 2>&1 || { - log_error "git-secrets detected potential secrets. See $LOG_DIR/git-secrets.log" - return 1 - } -} - -# Python Security Scan with Bandit -run_python_security_scan() { - if ! command -v bandit &>/dev/null; then - log_warning "Bandit not installed. Skipping Python security scan." - return 0 - } - - local py_files - mapfile -t py_files < <(git ls-files '*.py') - - if [[ ${#py_files[@]} -eq 0 ]]; then - log_warning "No Python files to scan" - return 0 - } - - log_info "Running Bandit Python security scan..." - # shellcheck disable=SC2046 - bandit -r "${py_files[@]}" \ - -n 5 -lll \ - -f json -o "$LOG_DIR/bandit.json" 2>"$LOG_DIR/bandit.log" || { - log_error "Bandit issues found. See $LOG_DIR/bandit.log" - return 1 - } -} - -# Dependency Vulnerability Check -run_dependency_checks() { - # npm audit - if command -v npm &>/dev/null && [[ -f package.json ]]; then - log_info "Running npm audit..." - npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || { - log_error "npm audit found issues. See $LOG_DIR/npm-audit.log" - return 1 - } - fi - - # pip-audit for Python dependencies - if command -v pip-audit &>/dev/null && [[ -f requirements.txt ]]; then - log_info "Running pip-audit..." - pip-audit -r requirements.txt >"$LOG_DIR/pip-audit.log" 2>&1 || { - log_error "pip-audit found issues. See $LOG_DIR/pip-audit.log" - return 1 - } - fi -} - -# Stylelint for CSS/SCSS -run_stylelint_check() { - if ! command -v stylelint &>/dev/null; then - log_warning "Stylelint not installed. Skipping stylesheet lint." - return 0 - } - - local style_files - mapfile -t style_files < <(git ls-files '*.{css,scss,sass}') - - if [[ ${#style_files[@]} -eq 0 ]]; then - log_warning "No stylesheet files to lint" - return 0 - } - - log_info "Running Stylelint..." - # shellcheck disable=SC2046 - stylelint "${style_files[@]}" \ - --formatter json >"$LOG_DIR/stylelint.json" 2>"$LOG_DIR/stylelint.log" || { - log_error "Stylelint issues found. See $LOG_DIR/stylelint.log" - return 1 - } -} - # Main execution function main() { - prepare_log_directory - - local checks=( - run_trivy_scan - run_trufflehog_scan - run_git_secrets_scan - run_python_security_scan - run_dependency_checks - run_stylelint_check - ) - local failed=0 - for check in "${checks[@]}"; do - if ! "$check"; then - failed=1 - fi - done + # Run each check and track failures + run_trivy_scan || failed=1 + run_trufflehog_scan || failed=1 + + # Exit with error if any checks failed if [[ $failed -eq 1 ]]; then log_error "Some pre-push checks failed. Aborting push." exit 1