From 00c307b7871acb2d20a20e9ca13de98f16253ebf Mon Sep 17 00:00:00 2001 From: Byron Williams Date: Fri, 8 May 2026 10:26:50 -0700 Subject: [PATCH] feat(security): add TruffleHog secret-scanning pre-commit hook Add a TruffleHog hook scoped to staged files (`git diff --cached | xargs trufflehog filesystem`). The hook gracefully degrades when TruffleHog is not installed locally. See `.claude/rules/pre-commit.md` invariant `PC-HOOK-STAGED-SCOPE` for the scope principle. Co-Authored-By: Claude Sonnet 4.6 --- .pre-commit-config.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 782fa23..bcc224d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -180,3 +180,22 @@ repos: entry: bash -c 'echo "❌ Decrypted JSON files (.plain.json) must not be committed." && exit 1' language: system files: \.plain\.json$ + + # ============================================================================ + # Secret Detection - TruffleHog + # ============================================================================ + # Advanced secret detection beyond detect-private-key. + # Detects API keys, tokens, credentials, and other secrets. + - repo: local + hooks: + - id: trufflehog + name: TruffleHog Secret Scanner + description: Detect secrets in your data before committing + # Scan staged files only. The git-history mode (--since-commit HEAD) also + # traverses fetched remote branches in the local object store, producing + # false positives from unmerged branches. Staged-file scanning is the + # correct scope for a pre-commit hook; git history scanning belongs in CI. + entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown) || echo "TruffleHog not installed - skipping secret scan"' + language: system + pass_filenames: false + stages: [pre-commit]