1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#!/bin/bash
printf "\033[0;32mRunning pre-commit hook in bash ...\033[0m\n"
# run azdev_active script
SCRIPT_PATH="$(dirname "$0")/azdev_active.sh"
. "$SCRIPT_PATH"
if [ $? -ne 0 ]; then
exit 1
fi
# Run command azdev scan
printf "\033[0;32mRunning azdev scan...\033[0m\n"
if git rev-parse --verify HEAD >/dev/null 2>&1
then
printf "Using HEAD as the previous commit\n"
against=HEAD
else
printf "Using an empty tree object as the previous commit\n"
against=$(git hash-object -t tree /dev/null)
fi
has_secrets=0
for FILE in `git diff --cached --name-only --diff-filter=AM $against` ; do
# Check if the file contains secrets
detected=$(azdev scan -f "$FILE" --continue-on-failure | python -c "import sys, json; print(json.load(sys.stdin)['secrets_detected'])")
if [ "$detected" = "True" ]; then
printf "\033[0;31mDetected secrets from %s, Please run the following command to mask it:\033[0m\n" "$FILE"
printf "\033[0;31m+++++++++++++++++++++++++++++++++++++++++++++++++++++++\033[0m\n"
printf "\033[0;31mazdev mask -f %s\033[0m\n" "$FILE"
printf "\033[0;31m+++++++++++++++++++++++++++++++++++++++++++++++++++++++\033[0m\n"
has_secrets=1
fi
done
if [ $has_secrets -eq 1 ]; then
printf "\033[0;31mSecret detected. If you want to skip that, run add '--no-verify' in the end of 'git commit' command.\033[0m\n"
exit 1
fi
printf "\033[0;32mPre-commit hook passed.\033[0m\n"
exit 0
|
