114 lines
2.7 KiB
Bash
Executable file
114 lines
2.7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Advanced Pre-Push Security and Quality Check Script
|
|
|
|
# Fail fast on any error
|
|
set -euo pipefail
|
|
|
|
# Color codes
|
|
readonly RED='\033[0;31m'
|
|
readonly GREEN='\033[0;32m'
|
|
readonly YELLOW='\033[1;33m'
|
|
readonly NC='\033[0m'
|
|
|
|
# Paths
|
|
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
|
|
LOG_DIR="${REPO_ROOT}/.checks/logs"
|
|
|
|
# Ensure log directory exists
|
|
mkdir -p "$LOG_DIR"
|
|
|
|
# Logging functions
|
|
log_error() {
|
|
echo -e "${RED}[ERROR] $*${NC}" >&2
|
|
}
|
|
|
|
log_info() {
|
|
echo -e "${GREEN}[INFO] $*${NC}"
|
|
}
|
|
|
|
log_warning() {
|
|
echo -e "${YELLOW}[WARNING] $*${NC}"
|
|
}
|
|
|
|
# Vulnerability Scanning with Trivy
|
|
run_trivy_scan() {
|
|
# Check if Trivy is installed
|
|
if ! command -v trivy &>/dev/null; then
|
|
log_warning "Trivy not installed. Skipping vulnerability scan."
|
|
return 0
|
|
fi
|
|
|
|
# Ensure we have files to scan
|
|
local files
|
|
mapfile -t files < <(git ls-files)
|
|
|
|
if [[ ${#files[@]} -eq 0 ]]; then
|
|
log_warning "No files to scan with Trivy"
|
|
return 0
|
|
fi
|
|
|
|
log_info "Running Trivy vulnerability scan..."
|
|
|
|
# Run Trivy scan
|
|
if ! trivy fs "${files[@]}" \
|
|
--exit-code 1 \
|
|
--severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN \
|
|
--no-progress \
|
|
>"$LOG_DIR/trivy.log" 2>&1; then
|
|
log_error "Trivy scan failed. See $LOG_DIR/trivy.log"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# Secrets Detection with Trufflehog
|
|
run_trufflehog_scan() {
|
|
# Check if Trufflehog and jq are installed
|
|
if ! (command -v trufflehog &>/dev/null && command -v jq &>/dev/null); then
|
|
log_warning "TruffleHog or jq not installed. Skipping secrets scan."
|
|
return 0
|
|
fi
|
|
|
|
log_info "Running TruffleHog secrets scan..."
|
|
local tmpf
|
|
tmpf="$(mktemp)"
|
|
|
|
# Scan files
|
|
if ! trufflehog filesystem . --json >"$tmpf" 2>"$LOG_DIR/trufflehog.log"; then
|
|
log_error "Trufflehog scan failed"
|
|
rm -f "$tmpf"
|
|
return 1
|
|
fi
|
|
|
|
# Check for verified secrets
|
|
local verified
|
|
verified=$(jq 'select(.verified==true)' "$tmpf" | wc -l | tr -d ' ')
|
|
|
|
if [[ "$verified" -gt 0 ]]; then
|
|
cp "$tmpf" "$LOG_DIR/trufflehog-findings.json"
|
|
log_error "Verified secrets found. See $LOG_DIR/trufflehog-findings.json"
|
|
rm -f "$tmpf"
|
|
return 1
|
|
fi
|
|
|
|
rm -f "$tmpf"
|
|
}
|
|
|
|
# Main execution function
|
|
main() {
|
|
local failed=0
|
|
|
|
# Run each check and track failures
|
|
run_trivy_scan || failed=1
|
|
run_trufflehog_scan || failed=1
|
|
|
|
# Exit with error if any checks failed
|
|
if [[ $failed -eq 1 ]]; then
|
|
log_error "Some pre-push checks failed. Aborting push."
|
|
exit 1
|
|
fi
|
|
|
|
log_info "All pre-push checks passed successfully!"
|
|
}
|
|
|
|
# Run the main function
|
|
main "$@"
|