diff --git a/CHANGELOG.md b/CHANGELOG.md index b43faf6..15ebdab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## [1.30.0] - Fixed validation caching for HTTP validators to include rendered headers so inactive secrets no longer appear active. +- Removed pre-commit installation hook, due to bugs ## [1.29.0] - Fixed issue when more than 1 named capture group is used in a rule variable diff --git a/README.md b/README.md index a7c668d..a837351 100644 --- a/README.md +++ b/README.md @@ -412,26 +412,6 @@ _If no token is provided Kingfisher still works for public repositories._ | 200 | Findings discovered | | 205 | Validated findings discovered | - -## Install a Pre-Commit Hook - -Run the provided helper script to add a hook that scans staged files before each commit: - -```bash -# local (current repo only ─ default) -./install-precommit-hook.sh -``` - -This creates `.git/hooks/pre-commit` that scans the files staged for commit with `kingfisher scan --no-update-check` and blocks the commit if any secrets are found. - -```bash -# global (every repo on this machine) -./install-precommit-hook.sh --global -### Install a Pre-Receive Hook -``` - -Installs a global pre-commit hook at `$HOME/.git/hooks/pre-commit`; for every Git repository you use, it runs `kingfisher scan --no-update-check` on the staged files and cancels the commit if any secrets are detected. - ## Update Checks Kingfisher automatically queries GitHub for a newer release when it starts and tells you whether an update is available. diff --git a/install-precommit-hook.sh b/install-precommit-hook.sh deleted file mode 100755 index 923fb94..0000000 --- a/install-precommit-hook.sh +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/env bash -# -# Install a Git pre‑commit hook that runs `kingfisher scan`. -# -# --global → install once for all repos via core.hooksPath -# --force → overwrite an existing pre‑commit hook -# -set -euo pipefail - -MODE="local" -FORCE=0 - -while [[ $# -gt 0 ]]; do - case "$1" in - -g|--global) MODE="global" ;; - -f|--force) FORCE=1 ;; - -h|--help) - echo "Usage: $0 [--global] [--force]" && exit 0 - ;; - *) echo "Unknown flag: $1" >&2; exit 1 ;; - esac - shift -done - -if [[ "$MODE" == "local" ]]; then - # ensure we're inside a Git repo - REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null) \ - || { echo "Not inside a Git repository" >&2; exit 1; } - - HOOK_DIR="$(git rev-parse --git-dir)/hooks" -else - # global: honour existing core.hooksPath or default to ~/.git-hooks - HOOK_DIR=$(git config --global --get core.hooksPath || echo "$HOME/.git-hooks") - mkdir -p "$HOOK_DIR" - - # if the user hasn’t set core.hooksPath, do it now - if ! git config --global --get core.hooksPath >/dev/null; then - git config --global core.hooksPath "$HOOK_DIR" - echo "Set git config --global core.hooksPath to $HOOK_DIR" - fi -fi - -HOOK_PATH="$HOOK_DIR/pre-commit" - -if [[ -e "$HOOK_PATH" && $FORCE -eq 0 ]]; then - echo "Error: $HOOK_PATH already exists. Use --force to overwrite." >&2 - exit 1 -fi - -cat >"$HOOK_PATH" <<'HOOK' -#!/usr/bin/env bash -# Git pre‑commit hook to run Kingfisher on staged changes -set -euo pipefail - -if ! command -v kingfisher >/dev/null 2>&1; then - echo "kingfisher not found in PATH" >&2 - exit 1 -fi - -git diff --cached --name-only -z | \ - xargs -0 --no-run-if-empty kingfisher scan --only-valid --no-update-check -status=$? - -# ──────────────────────────────────────────────────────────────── -# Treat Kingfisher exit‑code 200 as success (map → 0) -# ──────────────────────────────────────────────────────────────── -if [[ $status -eq 200 ]]; then - status=0 -fi - -if [[ $status -ne 0 ]]; then - echo "Kingfisher detected secrets in staged files. Commit aborted." >&2 - exit $status -fi -HOOK - -chmod +x "$HOOK_PATH" -echo "Pre‑commit hook installed to $HOOK_PATH ($MODE mode)"