Merge pull request cachix#441 from therealpxc/trufflehog-module

Add support for TruffleHog
shikanime · Sep 19, 2024 · 4e743a6 · 4e743a6
2 parents 7570de7 + 0ec644c
commit 4e743a6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/modules/hooks.nix b/modules/hooks.nix
@@ -3462,15 +3462,6 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.ormol
               );
           files = "(\\.json$)|(\\.toml$)|(\\.mli?$)";
         };
-      trim-trailing-whitespace =
-        {
-          name = "trim-trailing-whitespace";
-          description = "Trim trailing whitespace.";
-          types = [ "text" ];
-          stages = [ "commit" "push" "manual" ];
-          package = tools.pre-commit-hooks;
-          entry = "${hooks.trim-trailing-whitespace.package}/bin/trailing-whitespace-fixer";
-        };
       treefmt =
         let
           inherit (hooks.treefmt) packageOverrides settings;
@@ -3496,6 +3487,32 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.ormol
           packageOverrides = { treefmt = tools.treefmt; };
           entry = "${hooks.treefmt.package}/bin/treefmt --fail-on-change";
         };
+      trim-trailing-whitespace =
+        {
+          name = "trim-trailing-whitespace";
+          description = "Trim trailing whitespace.";
+          types = [ "text" ];
+          stages = [ "commit" "push" "manual" ];
+          package = tools.pre-commit-hooks;
+          entry = "${hooks.trim-trailing-whitespace.package}/bin/trailing-whitespace-fixer";
+        };
+      trufflehog =
+        {
+          name = "trufflehog";
+          description = "Secrets scanner";
+          entry =
+            let
+              script = pkgs.writeShellScript "precommit-trufflehog" ''
+                set -e
+                ${hooks.trufflehog.package}/bin/trufflehog --no-update git "file://$(git rev-parse --show-top-level)" --since-commit HEAD --only-verified --fail
+              '';
+            in
+            builtins.toString script;
+          package = tools.trufflehog;
+
+          # trufflehog expects to run across the whole repo, not particular files
+          pass_filenames = false;
+        };
       typos =
         {
           name = "typos";

diff --git a/nix/tools.nix b/nix/tools.nix
@@ -74,6 +74,7 @@
 , texlive
 , topiary ? null ## Added in nixpkgs on Dec 2, 2022
 , treefmt
+, trufflehog
 , typos
 , typstfmt
 , typstyle ? null ## Add in nixpkgs added on commit 800ca60
@@ -152,6 +153,7 @@ in
     taplo
     topiary
     treefmt
+    trufflehog
     typos
     typstfmt
     typstyle