GitGuardian pre-commit hook (#1319)

* Basic GitGuardian pre-commit hook * Run ggshield when available, otherwise fail for inaturalist.org git identities * Removed unused pre-commit framework file; added GitGuardian config file * Updated README
2025-12-23 22:18:36 -05:00 · 2024-03-27 16:57:20 -07:00
parent 4b61a30946
commit 8fb171f5c7
5 changed files with 30 additions and 8 deletions
--- a/.gitguardian.yml
+++ b/.gitguardian.yml
@@ -0,0 +1,8 @@
+version: 2
+secret:
+  # Exclude files and paths by globbing
+  ignored-paths:
+    - '**/README.md'
+    - 'node_modules/*'
+    - 'package-lock.json'
+    - '**/package-lock.json'
--- a/.gitignore
+++ b/.gitignore
@@ -87,4 +87,7 @@ artifacts/
 **/ios/*.json

 # Reassure performance testing #
-.reassure
+.reassure
+
+# GitGuardian cache file
+.cache_ggshield
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,6 +1,21 @@
 #!/bin/sh
 . "$(dirname "$0")/_/husky.sh"

+# If ggshield is installed, run it
+if command -v ggshield &> /dev/null; then
+  ggshield secret scan pre-commit
+# Otherwise require that inaturalist.org git users install it
+elif git config --list | grep -q "user.email.*inaturalist.org"; then
+  echo
+  echo "Git users w/ inaturalist.org emails must install ggshield: https://docs.gitguardian.com/ggshield-docs/getting-started"
+  echo
+  exit 1
+else
+  echo
+  echo "If you are iNat staff, you should install ggshield: https://docs.gitguardian.com/ggshield-docs/getting-started"
+  echo
+fi
+
 # Run lint and flow
 npm run lint

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +0,0 @@
-repos:
-  - repo: https://github.com/gitguardian/ggshield
-    rev: v1.10.7
-    hooks:
-      - id: ggshield
-        language_version: python3
-        stages: [commit]
--- a/README.md
+++ b/README.md
@@ -27,6 +27,9 @@ See [CONTRIBUTING](CONTRIBUTING.md) for guidelines on contributing to this proje
 ### Set up pre-commit hooks

 1. We're using [Husky](https://typicode.github.io/husky/#/) to automatically run `eslint` before each commit. Run `npm run postinstall` to install Husky locally.
+1. (Staff only) Set up GitGuardian to prevent yourself from committing secrets
+    1. [Install `ggshield`](https://docs.gitguardian.com/ggshield-docs/getting-started)
+    1. Get a GitGuardian API token from another staff developer and put it in the `GITGUARDIAN_API_KEY` env variable.

 ### Run build