chore: harden secret scanning

yannvr · yannvr · commit 7c1057f95609 · 2026-03-16T01:06:01.000Z
diff --git a/.githooks/pre-commit b/.githooks/pre-commit
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ -n "${CI:-}" ]]; then
+  exit 0
+fi
+
+if git diff --cached --quiet; then
+  exit 0
+fi
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "gitleaks is required for commits in this repo. Install it with: brew install gitleaks"
+  exit 1
+fi
+
+gitleaks protect --staged --source . --redact --no-banner
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,26 @@
+name: Gitleaks
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install gitleaks
+        run: |
+          set -euo pipefail
+          version=8.30.0
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${version}/gitleaks_${version}_linux_x64.tar.gz" | tar -xz gitleaks
+          chmod +x gitleaks
+          echo "$PWD" >> "$GITHUB_PATH"
+
+      - name: Scan tracked files
+        run: bash scripts/security-scan.sh
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,12 @@
 # Dependencies
 node_modules/
 
+# Local env files and backups
+.env
+.env.*
+.env*~
+*~
+
 # Configuration files are stored securely in:
 # ~/.config/hyper-post/signup-data.json (credentials & templates)
 # ~/.config/hyper-post/config.json (default template settings)
diff --git a/package.json b/package.json
@@ -25,7 +25,12 @@
     "db:push": "prisma db push",
     "db:studio": "prisma studio",
     "db:migrate": "prisma migrate dev",
-    "db:seed": "tsx prisma/seed.ts"
+    "db:seed": "tsx prisma/seed.ts",
+    "setup-hooks": "bash scripts/setup-git-hooks.sh",
+    "security:scan": "bash scripts/security-scan.sh",
+    "security:audit": "gitleaks detect --source . --redact",
+    "security:scan:staged": "gitleaks protect --staged --source . --redact",
+    "postinstall": "bash scripts/setup-git-hooks.sh"
   },
   "keywords": [
     "social-media",
diff --git a/scripts/security-scan.sh b/scripts/security-scan.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if ! command -v git >/dev/null 2>&1; then
+  echo "git is required to run the tracked-file secret scan"
+  exit 1
+fi
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "gitleaks is required to run the tracked-file secret scan. Install it with: brew install gitleaks"
+  exit 1
+fi
+
+repo_root=$(git rev-parse --show-toplevel)
+tmpdir=$(mktemp -d)
+
+cleanup() {
+  rm -rf "$tmpdir"
+}
+
+trap cleanup EXIT
+
+while IFS= read -r -d '' path; do
+  mkdir -p "$tmpdir/$(dirname "$path")"
+  cp "$repo_root/$path" "$tmpdir/$path"
+done < <(git -C "$repo_root" ls-files -z)
+
+gitleaks detect --source "$tmpdir" --no-git --redact --no-banner
diff --git a/scripts/setup-git-hooks.sh b/scripts/setup-git-hooks.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [[ -n "${CI:-}" ]]; then
+  exit 0
+fi
+
+if ! command -v git >/dev/null 2>&1; then
+  exit 0
+fi
+
+if ! git rev-parse --show-toplevel >/dev/null 2>&1; then
+  exit 0
+fi
+
+repo_root=$(git rev-parse --show-toplevel)
+cd "$repo_root"
+
+git config core.hooksPath .githooks
+printf 'Configured git hooks for %s\n' "$repo_root"
