From ad6bd365107a71a6df9a4d25e5c9ee34ae32e03f Mon Sep 17 00:00:00 2001 From: ns408 Date: Sun, 14 Jun 2026 02:14:29 +1000 Subject: [PATCH] fix(hooks): surface gitleaks finding and clear block message The global pre-commit hook scanned with no -v and aborted via a bare exit 1, so a blocked commit showed only 'leaks found: N' with no rule/file/line or remedy. Add -v to print the finding and an explicit COMMIT BLOCKED message with fix/override guidance, and --log-level error so clean commits stay silent. --- dotfiles/git/hooks/pre-commit | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/dotfiles/git/hooks/pre-commit b/dotfiles/git/hooks/pre-commit index d1c3892..0ed8c79 100755 --- a/dotfiles/git/hooks/pre-commit +++ b/dotfiles/git/hooks/pre-commit @@ -2,13 +2,21 @@ # Global pre-commit hook: scan staged changes for secrets, then delegate to the # repo's own pre-commit framework if it defines one. # -# Installed by ns-bootstrap — applies to all repositories. +# Installed by ns-bootstrap; applies to all repositories. # To bypass for a specific commit: git commit --no-verify # 1. Secret scan. Warn (do not block) if gitleaks is absent so commits still # work on machines without it; the pre-push hook is the fail-closed backstop. if command -v gitleaks >/dev/null 2>&1; then - gitleaks protect --staged --no-banner --redact || exit 1 + if ! gitleaks protect --staged --no-banner --redact --log-level error -v; then + { + echo + echo "COMMIT BLOCKED: a secret was detected in your staged changes (finding above)." + echo " Fix: git restore --staged (or move the value into .env, which is gitignored)" + echo " Override: git commit --no-verify (discouraged; the pre-push hook and CI still scan)" + } >&2 + exit 1 + fi else echo "WARNING: gitleaks not found; staged changes were NOT scanned for secrets." >&2 echo " install it with: brew install gitleaks" >&2