57 lines
1.5 KiB
Bash
Executable File
57 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
readonly SCRIPT_DIR
|
|
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
|
|
readonly REPO_ROOT
|
|
readonly DEFAULT_REPORT_PATH="${REPO_ROOT}/test-results/security/gitleaks-tuned-precommit.json"
|
|
readonly REPORT_PATH="${GITLEAKS_REPORT_PATH:-${DEFAULT_REPORT_PATH}}"
|
|
|
|
if ! command -v rsync >/dev/null 2>&1; then
|
|
echo "Error: rsync is not installed or not in PATH" >&2
|
|
exit 127
|
|
fi
|
|
|
|
if ! command -v gitleaks >/dev/null 2>&1; then
|
|
echo "Error: gitleaks is not installed or not in PATH" >&2
|
|
echo "Install: https://github.com/gitleaks/gitleaks" >&2
|
|
exit 127
|
|
fi
|
|
|
|
TEMP_ROOT="$(mktemp -d -t gitleaks-tuned-XXXXXX)"
|
|
cleanup() {
|
|
rm -rf "${TEMP_ROOT}"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
readonly FILTERED_SOURCE="${TEMP_ROOT}/source-filtered"
|
|
mkdir -p "${FILTERED_SOURCE}"
|
|
mkdir -p "$(dirname "${REPORT_PATH}")"
|
|
|
|
cd "${REPO_ROOT}"
|
|
|
|
echo "Preparing filtered source tree for tuned gitleaks scan"
|
|
rsync -a --delete \
|
|
--exclude='.cache/' \
|
|
--exclude='node_modules/' \
|
|
--exclude='frontend/node_modules/' \
|
|
--exclude='backend/.venv/' \
|
|
--exclude='dist/' \
|
|
--exclude='build/' \
|
|
--exclude='coverage/' \
|
|
--exclude='test-results/' \
|
|
./ "${FILTERED_SOURCE}/"
|
|
|
|
echo "Running gitleaks tuned scan (no-git mode)"
|
|
gitleaks detect \
|
|
--source "${FILTERED_SOURCE}" \
|
|
--no-git \
|
|
--report-format json \
|
|
--report-path "${REPORT_PATH}" \
|
|
--exit-code 1 \
|
|
--no-banner
|
|
|
|
echo "Gitleaks report: ${REPORT_PATH}"
|