git_sentinel/git_sentinel.py at main · Shrey42-dot/git_sentinel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import subprocess
import sys
import re
import os

# ==========================
# Secret Detection Patterns
# ==========================
SECRET_PATTERNS = {
    "AWS Access Key": re.compile(r"AKIA[0-9A-Z]{16}"),
    "Stripe Live Key": re.compile(r"sk_live_[0-9a-zA-Z]{24}"),
    "Generic Secret Assignment": re.compile(
        r"(?i)(api_key|secret|token|password)\s*=\s*['\"][^'\"]+['\"]"
    ),
}

# ==========================
# Bypass Configuration
# ==========================
BYPASS_ENV = "GIT_SENTINEL_BYPASS"
BYPASS_CODE = "I_UNDERSTAND_THE_RISK"

# ==========================
# Helpers
# ==========================
def get_staged_diff():
    result = subprocess.run(
        ["git", "diff", "--cached"],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
        text=True
    )
    return result.stdout


def scan_for_secrets(diff_text):
    findings = []

    for line_number, line in enumerate(diff_text.splitlines(), start=1):
        # Ignore diff metadata
        if line.startswith(("+++", "---", "@@")):
            continue

        for name, pattern in SECRET_PATTERNS.items():
            if pattern.search(line):
                findings.append({
                    "type": name,
                    "line_number": line_number,
                    "content": line.strip()
                })

    return findings


# ==========================
# Main
# ==========================
def main():
    diff = get_staged_diff()

    # No staged changes → allow commit
    if not diff.strip():
        sys.exit(0)

    findings = scan_for_secrets(diff)

    if findings:
        print("\n\033[91m🚨 Git-Sentinel Security Blocker 🚨\033[0m")
        print("Potential secrets detected in staged changes:\n")

        for f in findings:
            print(f" - [{f['type']}] Line {f['line_number']}: {f['content']}")

        # Check bypass via environment variable
        bypass_value = os.environ.get(BYPASS_ENV, "")

        if bypass_value == BYPASS_CODE:
            print("\nBypass accepted via environment variable.")
            print("Proceeding with commit.\n")
            sys.exit(0)

        print("\nCommit aborted.")
        print("To bypass intentionally, run:\n")
        print(f"  {BYPASS_ENV}={BYPASS_CODE} git commit -m \"your message\"\n")
        sys.exit(1)

    # No secrets detected → allow commit
    sys.exit(0)


if __name__ == "__main__":
    main()