Skip to content

This PR hardens and modernizes our existing global Git hook model for secret scanning.#102

Merged
wz-gsa merged 16 commits intomainfrom
testrepo
Feb 13, 2026
Merged

This PR hardens and modernizes our existing global Git hook model for secret scanning.#102
wz-gsa merged 16 commits intomainfrom
testrepo

Conversation

@wz-gsa
Copy link
Copy Markdown
Contributor

@wz-gsa wz-gsa commented Feb 12, 2026

Changes proposed in this pull request:

Summary

This PR hardens and modernizes our existing global Git hook model for secret scanning.

We were already using core.hooksPath, but this change:

  • moves hooks to a standard XDG location (~/.config/git/hooks)
  • makes install/verify deterministic and testable
  • reduces drift and silent misconfiguration
  • preserves compatibility with repo-local tooling (prek / pre-commit)

What changed (vs previous behavior)

  • New hook location (XDG):
    Hooks now live in ~/.config/git/hooks instead of the previous custom path.
    make install migrates and updates core.hooksPath automatically.

  • Single, explicit hook wrapper:
    One wrapper governs both pre-commit and pre-push behavior:

    • pre-commit: staged-only scan (fast)
    • pre-push: scan only commits being pushed (not full history)

  • Config safety:
    Installer writes/repairs the global gitleaks config and enforces extend defaults.

  • Functional verification:
    make verify / make audit prove secrets are blocked and clean commits pass.

  • prek / pre-commit compatible:
    Repo-local hooks still run after gitleaks, so teams can layer linters/formatters.

  • Safer lifecycle:
    Install saves any previous core.hooksPath; uninstall restores it.

How to switch

git pull
make install
make verify

That will:

  • move hooks to ~/.config/git/hooks
  • update core.hooksPath
  • ensure gitleaks is installed and configured correctly

If something looks off:

git config --global --get core.hooksPath
ls -la ~/.config/git/hooks
make verify

Security considerations

  • Strengthens secret-scanning enforcement by making the global-hook model deterministic and verifiable.
  • Global gitleaks config is enforced to extend defaults (no silent detector loss).
  • Per-repo allowlists (.gitleaks.repo.toml) are supported but should be reviewed carefully.
  • SKIP=gitleaks remains as a deliberate break-glass option.
  • Repos that override core.hooksPath locally can bypass global hooks; check_repos.sh detects this.

@wz-gsa wz-gsa requested review from a team as code owners February 12, 2026 22:09
@wz-gsa wz-gsa changed the title Testrepo This PR hardens and modernizes our existing global Git hook model for secret scanning. Feb 12, 2026
pburkholder
pburkholder reviewed Feb 13, 2026
View reviewed changes
pburkholder
pburkholder reviewed Feb 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@pburkholder pburkholder left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On gitleaks failure, no longer echoes the hints on how to handle false positives.

@wz-gsa
Copy link
Copy Markdown
Contributor Author

wz-gsa commented Feb 13, 2026

Gitleaks fail should now include the skip hint for false positives.

@wz-gsa wz-gsa self-assigned this Feb 13, 2026
@wz-gsa wz-gsa merged commit b456b22 into main Feb 13, 2026
3 checks passed
@wz-gsa wz-gsa deleted the testrepo branch February 13, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pburkholder pburkholder pburkholder approved these changes

Assignees

@wz-gsa wz-gsa

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wz-gsa @pburkholder