51 lines
1.9 KiB
Bash
Executable File
51 lines
1.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# run-gitleaks.sh - Wrapper for gitleaks detection modes
|
|
# Usage: ./run-gitleaks.sh [staged|full]
|
|
|
|
MODE=${1:-staged}
|
|
GITLEAKS_BIN=${GITLEAKS_BIN:-gitleaks}
|
|
GITLEAKS_CONFIG=${GITLEAKS_CONFIG:-config/gitleaks.toml}
|
|
# Default to /tmp (some environments forbid writing under the repo or `.git/`).
|
|
GITLEAKS_REPORT_DIR=${GITLEAKS_REPORT_DIR:-/tmp/gitleaks-accounts.svc.plus}
|
|
REPORT_PATH="$GITLEAKS_REPORT_DIR/report.json"
|
|
|
|
# Check if gitleaks is installed
|
|
if ! command -v "$GITLEAKS_BIN" &> /dev/null; then
|
|
echo "Error: gitleaks is not installed or not in PATH."
|
|
echo "Install it from: https://github.com/gitleaks/gitleaks/releases"
|
|
exit 1
|
|
fi
|
|
|
|
# Create report directory
|
|
mkdir -p "$GITLEAKS_REPORT_DIR"
|
|
|
|
if [ "$MODE" == "staged" ]; then
|
|
echo "Running Gitleaks protect on staged changes (respecting .gitignore)..."
|
|
# 'protect --staged' is the recommended way to scan staged changes
|
|
"$GITLEAKS_BIN" protect -v --staged --redact --config "$GITLEAKS_CONFIG" --report-path "$REPORT_PATH"
|
|
EXIT_CODE=$?
|
|
else
|
|
echo "Running full Gitleaks detection on commits..."
|
|
# 'detect' scans the git history (commits). In-progress worktree files
|
|
# that are .gitignored will NOT be scanned unless they were previously committed.
|
|
# To ignore specific files/folders always, use config/gitleaks.toml [allowlist]
|
|
"$GITLEAKS_BIN" detect -v --redact --config "$GITLEAKS_CONFIG" --report-path "$REPORT_PATH"
|
|
EXIT_CODE=$?
|
|
fi
|
|
|
|
if [ $EXIT_CODE -ne 0 ]; then
|
|
echo ""
|
|
echo "⚠️ Potential secrets detected!"
|
|
echo "Report generated at: $REPORT_PATH"
|
|
echo ""
|
|
echo "Please review the findings and refer to the security playbook:"
|
|
echo "skills/git.secret-incident-response.v1.md"
|
|
exit $EXIT_CODE
|
|
else
|
|
echo "✅ No secrets detected."
|
|
# Clean up empty report
|
|
[ -f "$REPORT_PATH" ] && [ ! -s "$REPORT_PATH" ] && rm "$REPORT_PATH"
|
|
exit 0
|
|
fi
|