akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

choret: add manual security scans for Semgrep and Gitleaks in pre-commit hooks

Browse Source
This commit is contained in:
GitHub Actions
2026-02-18 08:26:13 +00:00
parent fd95611a25
commit 26a19e58a6
4 changed files with 124 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
scripts/pre-commit-hooks/gitleaks-tuned-scan.sh Executable file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly SCRIPT_DIR
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
readonly REPO_ROOT
readonly DEFAULT_REPORT_PATH="${REPO_ROOT}/test-results/security/gitleaks-tuned-precommit.json"
readonly REPORT_PATH="${GITLEAKS_REPORT_PATH:-${DEFAULT_REPORT_PATH}}"
if ! command -v rsync >/dev/null 2>&1; then
echo "Error: rsync is not installed or not in PATH" >&2
exit 127
fi
if ! command -v gitleaks >/dev/null 2>&1; then
echo "Error: gitleaks is not installed or not in PATH" >&2
echo "Install: https://github.com/gitleaks/gitleaks" >&2
exit 127
fi
TEMP_ROOT="$(mktemp -d -t gitleaks-tuned-XXXXXX)"
cleanup() {
rm -rf "${TEMP_ROOT}"
}
trap cleanup EXIT
readonly FILTERED_SOURCE="${TEMP_ROOT}/source-filtered"
mkdir -p "${FILTERED_SOURCE}"
mkdir -p "$(dirname "${REPORT_PATH}")"
cd "${REPO_ROOT}"
echo "Preparing filtered source tree for tuned gitleaks scan"
rsync -a --delete \
--exclude='.cache/' \
--exclude='node_modules/' \
--exclude='frontend/node_modules/' \
--exclude='backend/.venv/' \
--exclude='dist/' \
--exclude='build/' \
--exclude='coverage/' \
--exclude='test-results/' \
./ "${FILTERED_SOURCE}/"
echo "Running gitleaks tuned scan (no-git mode)"
gitleaks detect \
--source "${FILTERED_SOURCE}" \
--no-git \
--report-format json \
--report-path "${REPORT_PATH}" \
--exit-code 1 \
--no-banner
echo "Gitleaks report: ${REPORT_PATH}"

24
scripts/pre-commit-hooks/semgrep-scan.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly SCRIPT_DIR
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
readonly REPO_ROOT
if ! command -v semgrep >/dev/null 2>&1; then
echo "Error: semgrep is not installed or not in PATH" >&2
echo "Install: https://semgrep.dev/docs/getting-started/" >&2
exit 127
fi
cd "${REPO_ROOT}"
readonly SEMGREP_CONFIG_VALUE="${SEMGREP_CONFIG:-auto}"
echo "Running Semgrep with config: ${SEMGREP_CONFIG_VALUE}"
semgrep scan \
--config "${SEMGREP_CONFIG_VALUE}" \
--error \
backend frontend scripts .github/workflows