Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
ansible_lza_bootstrap_rhel_server
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Digital Preservation
ansible_lza_bootstrap_rhel_server
Commits
f7d57688
Commit
f7d57688
authored
4 years ago
by
Jörg Sachse
Browse files
Options
Downloads
Patches
Plain Diff
chore: add pre-commit-hooks to prevent checking in any confidential information
parent
2217d9a3
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
.githooks/pre-commit
+127
-0
127 additions, 0 deletions
.githooks/pre-commit
with
127 additions
and
0 deletions
.githooks/pre-commit
0 → 100755
+
127
−
0
View file @
f7d57688
#!/bin/bash
#
# An example hook script to verify what is about to be committed.
# Called by "git commit" with no arguments. The hook should
# exit with non-zero status after issuing an appropriate message if
# it wants to stop the commit.
#
# To enable this hook, rename this file to "pre-commit".
if
git rev-parse
--verify
HEAD
>
/dev/null 2>&1
then
against
=
HEAD
else
# Initial commit: diff against an empty tree object
against
=
$(
git hash-object
-t
tree /dev/null
)
fi
# If you want to allow non-ASCII filenames set this variable to true.
allownonascii
=
$(
git config
--bool
hooks.allownonascii
)
# Redirect output to stderr.
exec
1>&2
# Cross platform projects tend to avoid non-ASCII filenames; prevent
# them from being added to the repository. We exploit the fact that the
# printable range starts at the space character and ends with tilde.
if
[
"
$allownonascii
"
!=
"true"
]
&&
# Note that the use of brackets around a tr range is ok here, (it's
# even required, for portability to Solaris 10's /usr/bin/tr), since
# the square bracket bytes happen to fall in the designated range.
test
$(
git diff
--cached
--name-only
--diff-filter
=
A
-z
$against
|
LC_ALL
=
C
tr
-d
'[ -~]\0'
|
wc
-c
)
!=
0
then
cat
<<
\
EOF
Error: Attempt to add a non-ASCII file name.
This can cause problems if you want to work with people on other platforms.
To be portable it is advisable to rename the file.
If you know what you are doing you can disable this check using:
git config hooks.allownonascii true
EOF
exit
1
fi
# If there are whitespace errors, print the offending file names and fail.
# exec git diff-index --check --cached $against --
################################################################################
## Everything below this is customized, everything above is from the example. ##
################################################################################
### PREPARE
# Expand aliases and make alias command work in the bash script.
shopt
-s
expand_aliases
REPOPATH
=
"
$(
git rev-parse
--show-toplevel
)
"
GREP_CMD
=
'grep -Rn --color'
GREP_EXCLUDES
=
"--exclude-dir=
\.
git --exclude-dir=
\.
githooks --exclude=*
\.
example"
### YAMLLINT stage
STAGED_FILES
=
$(
git diff
--cached
--name-only
--diff-filter
=
ACM
)
YAML_FILES
=
$(
git diff
--cached
--name-only
--diff-filter
=
ACM |
grep
".yml$"
)
if
[[
${
YAML_FILES
}
!=
""
]]
;
then
for
file
in
${
YAML_FILES
}
;
do
yamllint
"
${
file
}
"
if
[[
${
?
}
-ne
0
]]
;
then
exit
1
fi
done
fi
&&
echo
"SUCCESS: Yamllint stage."
### VAULT detection stage
VAULT_FILES
=
$(
git diff
--cached
--name-only
--diff-filter
=
ACM |
grep
".vault$"
)
if
[[
${
VAULT_FILES
}
!=
""
]]
;
then
echo
"ERROR: Vaultfiles found:"
for
file
in
${
VAULT_FILES
}
;
do
echo
"-
${
file
}
"
done
exit
1
fi
# https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-format
if
[[
${
STAGED_FILES
}
!=
""
]]
;
then
for
file
in
${
STAGED_FILES
}
;
do
grep
-e
"
\$
ANSIBLE_VAULT;[[:digit:]]
\.
[[:digit:]];AES256"
"
${
file
}
"
[[
${
?
}
-eq
0
]]
&&
echo
"ERROR: Ansible-Vault in String found in file '
${
file
}
'."
&&
exit
1
done
fi
echo
"SUCCESS: Vault detection stage."
### URL detection stage
${
GREP_CMD
}
${
GREP_EXCLUDES
}
-e
"http[s]*.*git.*SLUB"
-e
"http[s]*.*git.*slub"
-e
"git@"
"
${
REPOPATH
}
"
if
[[
${
?
}
-eq
0
]]
;
then
echo
"ERROR: found internal URLs."
exit
1
;
fi
echo
"SUCCESS: URL detection stage."
### IP address detection stage
# This is pretty basic regex matching, but it's a start.
IP_REGEX
=
'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
${
GREP_CMD
}
${
GREP_EXCLUDES
}
-e
"
${
IP_REGEX
}
"
"
${
REPOPATH
}
"
|
grep
-v
"127.0.0"
if
[[
${
?
}
-eq
0
]]
;
then
echo
"ERROR: found IP address."
exit
1
;
fi
echo
"SUCCESS: IP address detection stage."
### SSH-Key detection stage
${
GREP_CMD
}
${
GREP_EXCLUDES
}
-e
"ssh-[dr]sa "
"
${
REPOPATH
}
"
if
[[
${
?
}
-eq
0
]]
;
then
echo
"ERROR: found SSH key."
exit
1
;
fi
echo
"SUCCESS: SSH Key detection stage."
### DONE
# Return explicit 0.
exit
0
;
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
