11#! /bin/bash
2- # Socket Security Pre-commit Hook
3- # Prevents committing sensitive data, personal paths, and junk files.
4- # This hook is enforced and cannot be bypassed with --no-verify.
2+ # Socket Security Checks
3+ # Prevents committing sensitive data and common mistakes.
54
65set -e
76
8- # Detect if --no-verify was used.
9- if [ -n " $GIT_AUTHOR_DATE " ; then
10- # Hook is running during a commit.
11- if ps -ocommand= -p $PPID | grep -q ' \--no-verify' ; then
12- echo " ERROR: Security hooks cannot be bypassed with --no-verify"
13- echo " These checks are required to prevent accidental credential exposure."
14- exit 1
15- fi
16- fi
17-
187# Colors for output.
198RED=' \033[0;31m'
209YELLOW=' \033[1;33m'
2110GREEN=' \033[0;32m'
22- NC=' \033[0m' # No Color
11+ NC=' \033[0m'
2312
2413# Allowed public API key (used in socket-lib).
2514ALLOWED_PUBLIC_KEY=" sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
2615
27- echo " ${GREEN} Running Socket Security pre-commit checks...${NC} "
16+ echo " ${GREEN} Running Socket Security checks...${NC} "
2817
2918# Get list of staged files.
3019STAGED_FILES=$( git diff --cached --name-only --diff-filter=ACM)
@@ -41,7 +30,6 @@ echo "Checking for .DS_Store files..."
4130if echo " $STAGED_FILES " | grep -q ' \.DS_Store' ; then
4231 echo " ${RED} ✗ ERROR: .DS_Store file detected!${NC} "
4332 echo " $STAGED_FILES " | grep ' \.DS_Store'
44- echo " Remove with: git reset HEAD \$ (git diff --cached --name-only | grep .DS_Store)"
4533 ERRORS=$(( ERRORS + 1 ))
4634fi
4735
@@ -50,7 +38,6 @@ echo "Checking for log files..."
5038if echo " $STAGED_FILES " | grep -E ' \.log$' | grep -v ' test.*\.log' ; then
5139 echo " ${RED} ✗ ERROR: Log file detected!${NC} "
5240 echo " $STAGED_FILES " | grep -E ' \.log$' | grep -v ' test.*\.log'
53- echo " Log files should not be committed."
5441 ERRORS=$(( ERRORS + 1 ))
5542fi
5643
@@ -63,41 +50,33 @@ if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
6350 ERRORS=$(( ERRORS + 1 ))
6451fi
6552
66- # Check for personal paths in file contents .
53+ # Check for hardcoded user paths (generic detection) .
6754echo " Checking for hardcoded personal paths..."
6855for file in $STAGED_FILES ; do
6956 if [ -f " $file " ; then
70- if grep -l ' /Users/jdalton/' " $file " 2> /dev/null | grep -v ' .test.' ; then
71- echo " ${RED} ✗ ERROR: Hardcoded personal path found in: $file ${NC} "
72- grep -n ' /Users/jdalton/' " $file " | head -3
73- echo " Replace with relative paths or environment variables."
74- ERRORS=$(( ERRORS + 1 ))
75- fi
76- if grep -l ' /home/jdalton/' " $file " 2> /dev/null; then
77- echo " ${RED} ✗ ERROR: Hardcoded personal path found in: $file ${NC} "
78- grep -n ' /home/jdalton/' " $file " | head -3
79- ERRORS=$(( ERRORS + 1 ))
57+ # Skip test files and hook scripts.
58+ if echo " $file " | grep -qE ' \.(test|spec)\.|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/' ; then
59+ continue
8060 fi
81- if grep -l ' C:\\Users\\jdalton\\' " $file " 2> /dev/null; then
61+
62+ # Check for common user path patterns.
63+ if grep -E ' (/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' " $file " 2> /dev/null | grep -q . ; then
8264 echo " ${RED} ✗ ERROR: Hardcoded personal path found in: $file ${NC} "
83- grep -n ' C:\\Users\\jdalton\\' " $file " | head -3
65+ grep -n -E ' (/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' " $file " | head -3
66+ echo " Replace with relative paths or environment variables."
8467 ERRORS=$(( ERRORS + 1 ))
8568 fi
8669 fi
8770done
8871
89- # Check for Socket API keys (except the allowed public key) .
72+ # Check for Socket API keys.
9073echo " Checking for API keys..."
9174for file in $STAGED_FILES ; do
9275 if [ -f " $file " ; then
93- # Look for Socket API keys.
94- if grep -E ' sktsec_[a-zA-Z0-9_-]+' " $file " 2> /dev/null | grep -v " $ALLOWED_PUBLIC_KEY " | grep -v ' your_api_key_here' | grep -v ' SOCKET_SECURITY_API_KEY=' | grep -q . ; then
76+ if grep -E ' sktsec_[a-zA-Z0-9_-]+' " $file " 2> /dev/null | grep -v " $ALLOWED_PUBLIC_KEY " | grep -v ' your_api_key_here' | grep -v ' SOCKET_SECURITY_API_KEY=' | grep -v ' fake-token' | grep -v ' test-token' | grep -q . ; then
9577 echo " ${YELLOW} ⚠ WARNING: Potential API key found in: $file ${NC} "
96- grep -n ' sktsec_' " $file " | grep -v " $ALLOWED_PUBLIC_KEY " | grep -v ' your_api_key_here' | head -3
78+ grep -n ' sktsec_' " $file " | grep -v " $ALLOWED_PUBLIC_KEY " | grep -v ' your_api_key_here' | grep -v ' fake-token ' | grep -v ' test-token ' | head -3
9779 echo " If this is a real API key, DO NOT COMMIT IT."
98- echo " Allowed public key: $ALLOWED_PUBLIC_KEY "
99- # Not blocking on this, just warning.
100- # ERRORS=$((ERRORS + 1))
10180 fi
10281 fi
10382done
10685echo " Checking for potential secrets..."
10786for file in $STAGED_FILES ; do
10887 if [ -f " $file " ; then
109- # Skip test files and example files.
110- if echo " $file " | grep -qE ' \.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/' ; then
88+ # Skip test files, example files, and hook scripts .
89+ if echo " $file " | grep -qE ' \.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/ ' ; then
11190 continue
11291 fi
11392
@@ -135,13 +114,10 @@ done
135114
136115if [ $ERRORS -gt 0 ]; then
137116 echo " "
138- echo " ${RED} ✗ Pre-commit check failed with $ERRORS error(s).${NC} "
117+ echo " ${RED} ✗ Security check failed with $ERRORS error(s).${NC} "
139118 echo " Fix the issues above and try again."
140- echo " "
141- echo " To bypass this check (NOT RECOMMENDED):"
142- echo " git commit --no-verify"
143119 exit 1
144120fi
145121
146- echo " ${GREEN} ✓ All pre-commit checks passed!${NC} "
122+ echo " ${GREEN} ✓ All security checks passed!${NC} "
147123exit 0
0 commit comments