Add secrets extra-config seam and commit-message scanning#15
Merged
Conversation
Summary Extends the `secrets` phase so an environment extension can contribute additional gitleaks rulesets, and so commit messages are scanned — not just staged file content. This lets an overlay enforce, e.g., that work-specific vocabulary never lands in a public repo, using the same gitleaks engine and the existing commit gate. - add the `_sley_hook_secrets_extra_configs` extension hook (default none). The secrets scan runs one independent gitleaks pass per returned config over the same staged + worktree inputs, MAX-preserving the exit code so a later leak (rc 1) can never mask a scanner error (rc >= 2). - add `sley secrets --message-file <path>`, which scans a commit message through the base config plus the extra configs. Only the `commit -v` scissors region is removed; `#` comment lines are deliberately kept, because Git's non-interactive cleanup (`-m`/`-F`, and the message a `commit-msg` hook receives) is `whitespace` and commits them verbatim — stripping them would be a fail-open. - findings are run with `--verbose` so a redacted match still names its RuleID, which matters for vocabulary rules. Base sley ships no extra configs, so behavior is unchanged unless an extension opts in. Testing - test/sley-test: 498 (behavior) passed, 0 failed; full suite exit 0 - shellcheck clean on lib/sley/sley.sh, lib/sley/hooks.sh, and the suite - new cases cover: extra-config blocks (staged + worktree + message), no-extension no-op, base-config message finding, scanner-error rc>=2 dominating a later leak in the message path, message comment retained (no fail-open) while the scissors region is cut, and usage errors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the
secretsphase so an environment extension can contributeadditional gitleaks rulesets, and so commit messages are scanned — not
just staged file content. This lets an overlay enforce, e.g., that
work-specific vocabulary never lands in a public repo, using the same
gitleaks engine and the existing commit gate.
_sley_hook_secrets_extra_configsextension hook (defaultnone). The secrets scan runs one independent gitleaks pass per returned
config over the same staged + worktree inputs, MAX-preserving the exit
code so a later leak (rc 1) can never mask a scanner error (rc >= 2).
sley secrets --message-file <path>, which scans a commit messagethrough the base config plus the extra configs. Only the
commit -vscissors region is removed;
#comment lines are deliberately kept,because Git's non-interactive cleanup (
-m/-F, and the message acommit-msghook receives) iswhitespaceand commits them verbatim —stripping them would be a fail-open.
--verboseso a redacted match still names itsRuleID, which matters for vocabulary rules.
Base sley ships no extra configs, so behavior is unchanged unless an
extension opts in.
Testing
no-extension no-op, base-config message finding, scanner-error rc>=2
dominating a later leak in the message path, message comment retained
(no fail-open) while the scissors region is cut, and usage errors