diff --git a/.husky/pre-commit b/.husky/pre-commit index 9c7ed53..4f1fbbc 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,4 +1,69 @@ #!/usr/bin/env sh -. "$(dirname -- "$0")/_/husky.sh" +# Pre-commit hook to run Snyk and Talisman scans, completing both before deciding to commit -npm run test \ No newline at end of file +# Function to check if a command exists +command_exists() { + command -v "$1" >/dev/null 2>&1 +} + +# Check if Snyk is installed +if ! command_exists snyk; then + echo "Error: Snyk is not installed. Please install it and try again." + exit 1 +fi + +# Check if Talisman is installed +if ! command_exists talisman; then + echo "Error: Talisman is not installed. Please install it and try again." + exit 1 +fi + +# Allow bypassing the hook with an environment variable +if [ "$SKIP_HOOK" = "1" ]; then + echo "Skipping Snyk and Talisman scans (SKIP_HOOK=1)." + exit 0 +fi + +# Initialize variables to track scan results +snyk_failed=false +talisman_failed=false + +# Run Snyk vulnerability scan +echo "Running Snyk vulnerability scan..." +snyk test --all-projects > snyk_output.log 2>&1 +snyk_exit_code=$? + +if [ $snyk_exit_code -eq 0 ]; then + echo "Snyk scan passed: No vulnerabilities found." +elif [ $snyk_exit_code -eq 1 ]; then + echo "Snyk found vulnerabilities. See snyk_output.log for details." + snyk_failed=true +else + echo "Snyk scan failed with error (exit code $snyk_exit_code). See snyk_output.log for details." + snyk_failed=true +fi + +# Run Talisman secret scan (continues even if Snyk failed) +echo "Running Talisman secret scan..." +talisman --githook pre-commit > talisman_output.log 2>&1 +talisman_exit_code=$? + +if [ $talisman_exit_code -eq 0 ]; then + echo "Talisman scan passed: No secrets found." +else + echo "Talisman scan failed (exit code $talisman_exit_code). See talisman_output.log for details." + talisman_failed=true +fi + +# Evaluate results after both scans +if [ "$snyk_failed" = true ] || [ "$talisman_failed" = true ]; then + echo "Commit aborted due to issues found in one or both scans." + [ "$snyk_failed" = true ] && echo "- Snyk issues: Check snyk_output.log" + [ "$talisman_failed" = true ] && echo "- Talisman issues: Check talisman_output.log" + exit 1 +fi + +# If both scans pass, allow the commit +echo "All scans passed. Proceeding with commit.cd ." +rm -f snyk_output.log talisman_output.log +exit 0 \ No newline at end of file diff --git a/.talismanrc b/.talismanrc index dbc73fd..7ec1cb4 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,3 +1,6 @@ fileignoreconfig: -- filename: package-lock.json - checksum: 9746d3b1ac67da5dc0f3ec6f8798166bc8b9c1e4c736de01f7c52b2f9cc194be + - filename: package-lock.json + checksum: 9746d3b1ac67da5dc0f3ec6f8798166bc8b9c1e4c736de01f7c52b2f9cc194be + - filename: .husky/pre-commit + checksum: 5baabd7d2c391648163f9371f0e5e9484f8fb90fa2284cfc378732ec3192c193 +version: "" \ No newline at end of file diff --git a/package.json b/package.json index bf517a0..0e4deb5 100644 --- a/package.json +++ b/package.json @@ -26,10 +26,11 @@ "prebuild": "rimraf dist", "build": "tsc && rollup -c", "format": "prettier --write \"src/**/*.ts\"", - "prepare": "husky install && npm run build", + "prepare": "npm run build", "prepublishOnly": "npm test", "version": "npm run format && git add -A src", - "postversion": "git push && git push --tags" + "postversion": "git push && git push --tags", + "husky-check": "npm run build && husky install && chmod +x .husky/pre-commit" }, "author": "Contentstack", "license": "MIT",