secure-repo

Secure Repository - Secret Scanning Hooks

Installs git pre-commit hooks that scan for secrets before each commit.

MANDATORY: Version Check (Run on Skill Load)

CRITICAL: You MUST run this bash block when the skill is first loaded, before doing anything else.

# Check for skill updates
PLUGIN_JSON=$(ls -t ~/.claude/plugins/cache/alliance-plugins/git-safety/*/.claude-plugin/plugin.json 2>/dev/null | head -1)
INSTALLED_VERSION=$(grep -o '"version": "[^"]*"' "$PLUGIN_JSON" 2>/dev/null | cut -d'"' -f4)
LATEST_VERSION=$(curl -sf --max-time 3 https://raw.githubusercontent.com/alliance-genome/agr_claude_code/main/plugins/git-safety/.claude-plugin/plugin.json 2>/dev/null | grep -o '"version": "[^"]*"' | cut -d'"' -f4)
if [ -z "$LATEST_VERSION" ]; then
  echo "Skill version: ${INSTALLED_VERSION} (could not check for updates)"
elif [ "$INSTALLED_VERSION" != "$LATEST_VERSION" ]; then
  echo "*** UPDATE AVAILABLE *** Installed v${INSTALLED_VERSION}, latest v${LATEST_VERSION}"
  echo "Run: /plugin marketplace update alliance-plugins"
else
  echo "Skill version: ${INSTALLED_VERSION} (up to date)"
fi

Step 1: Check/Install Tools

First, check if the required tools are installed:

"${CLAUDE_PLUGIN_ROOT}/scripts/setup.sh"

If tools are missing, the script will show installation instructions.

Quick Install (macOS with Homebrew)

brew install gitleaks trufflehog

Quick Install (Linux)

Gitleaks:

GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d'"' -f4)
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION#v}_linux_x64.tar.gz" | sudo tar -xz -C /usr/local/bin gitleaks

TruffleHog:

TRUFFLEHOG_VERSION=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest | grep tag_name | cut -d'"' -f4)
curl -sSL "https://github.com/trufflesecurity/trufflehog/releases/download/${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION#v}_linux_amd64.tar.gz" | sudo tar -xz -C /usr/local/bin trufflehog

After installing, verify with:

gitleaks version && trufflehog --version

---

Step 2: Install Git Hooks

Once tools are installed, add the pre-commit hook to your repository.

To Current Repository

# Verify you're in a git repo
git rev-parse --show-toplevel

# Copy the pre-commit hook
cp "${CLAUDE_PLUGIN_ROOT}/scripts/pre-commit" .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

# Verify installation
echo "Hook installed:" && ls -la .git/hooks/pre-commit

To a Specific Repository

# Replace REPO_PATH with the target directory
REPO_PATH="path/to/repo"
cp "${CLAUDE_PLUGIN_ROOT}/scripts/pre-commit" "${REPO_PATH}/.git/hooks/pre-commit"
chmod +x "${REPO_PATH}/.git/hooks/pre-commit"

---

What the Hook Does

On every git commit, the pre-commit hook:

1. Gitleaks scan - Detects API keys, passwords, tokens, private keys
2. TruffleHog scan - Detects AWS keys, Slack webhooks, other secrets

If either tool finds potential secrets, the commit is blocked.

---

Test the Hook

To verify the hook works, create a test file with a fake secret pattern:

# Generate a fake AWS-style key for testing (don't use real keys!)
echo 'AWS_KEY="AKIA'$(openssl rand -hex 8 | tr '[:lower:]' '[:upper:]')'"' > test-secret.txt
git add test-secret.txt
git commit -m "test"  # Should be blocked!

# Clean up
git reset HEAD test-secret.txt
rm test-secret.txt

---

If a Commit is Blocked

1. Review the findings - Check if it's a real secret or false positive
2. Remove the secret - If real, remove it from the staged files
3. For false positives - Add pattern to .gitleaksignore

Bypass (Use With Extreme Caution)

Only after confirming a detection is a false positive:

git commit --no-verify