add working but unconfigurable trufflehog module

cachix · Sep 9, 2024 · 0b4048d · 0b4048d
1 parent b8fafde
commit 0b4048d
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/modules/hooks.nix b/modules/hooks.nix
@@ -3496,6 +3496,23 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.ormol
           package = tools.pre-commit-hooks;
           entry = "${hooks.trim-trailing-whitespace.package}/bin/trailing-whitespace-fixer";
         };
+      trufflehog =
+        {
+          name = "trufflehog";
+          description = "Secrets scanner";
+          entry =
+            let
+              script = pkgs.writeShellScript "precommit-trufflehog" ''
+                set -e
+                ${hooks.trufflehog.package}/bin/trufflehog --no-update git "file://$(git rev-parse --show-top-level)" --since-commit HEAD --only-verified --fail
+              '';
+            in
+            builtins.toString script;
+          package = pkgs.trufflehog;
+
+          # trufflehog expects to run across the whole repo, not particular files
+          pass_filenames = false;
+        };
       typos =
         {
           name = "typos";