Skip to content

feat(security): add TruffleHog secret-scanning pre-commit hook #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
williaby wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(security): add TruffleHog secret-scanning pre-commit hook #138

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,3 +180,22 @@ repos:
entry: bash -c 'echo "❌ Decrypted JSON files (.plain.json) must not be committed." && exit 1'
language: system
files: \.plain\.json$

# ============================================================================
# Secret Detection - TruffleHog
# ============================================================================
# Advanced secret detection beyond detect-private-key.
# Detects API keys, tokens, credentials, and other secrets.
- repo: local
hooks:
- id: trufflehog
name: TruffleHog Secret Scanner
description: Detect secrets in your data before committing
# Scan staged files only. The git-history mode (--since-commit HEAD) also
# traverses fetched remote branches in the local object store, producing
# false positives from unmerged branches. Staged-file scanning is the
# correct scope for a pre-commit hook; git history scanning belongs in CI.
entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown) || echo "TruffleHog not installed - skipping secret scan"'
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Preserve TruffleHog’s failing exit code

On Line 198, command -v ... && (scan) || echo ... masks scan failures: if secrets are found (--fail), the echo branch runs and exits 0, so the commit can still pass.

Suggested fix 
-        entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown) || echo "TruffleHog not installed - skipping secret scan"'
+        entry: bash -c 'if ! command -v trufflehog >/dev/null 2>&1; then echo "TruffleHog not installed - skipping secret scan"; exit 0; fi; git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown) || echo "TruffleHog not installed - skipping secret scan"'
entry: bash -c 'if ! command -v trufflehog >/dev/null 2>&1; then echo "TruffleHog not installed - skipping secret scan"; exit 0; fi; git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown'
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.pre-commit-config.yaml at line 198, The current pre-commit 'entry' wraps
the trufflehog scan with `&& (...) || echo ...`, which masks trufflehog's
non-zero exit codes; update the shell logic so that when trufflehog is installed
it runs and the hook exits with trufflehog's exit status, while when trufflehog
is not installed it prints the informational message and exits 0. Replace the
existing single-line conditional with a construct that checks `command -v
trufflehog` and if present executes `trufflehog filesystem --fail --no-update
--results=verified,unknown` and then `exit` with that command's exit code (e.g.,
capture `$?` and `exit $RC`), otherwise print the "TruffleHog not installed -
skipping secret scan" message and exit 0; update the 'entry' value accordingly
so failures are preserved.

language: system
pass_filenames: false
stages: [pre-commit]
Loading