Merge pull request #400 from lafrenierejm/ripsecrets

Add ripsecrets hook
cachix · Mar 25, 2024 · db656fc · db656fc
2 parents e611897 + b54aac8
commit db656fc
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/modules/hooks.nix b/modules/hooks.nix
@@ -1222,6 +1222,20 @@ in
           };
         };
       };
+      ripsecrets = mkOption {
+        description = lib.mdDoc "ripsecrets hook";
+        type = types.submodule {
+          imports = hookModule;
+          options.settings = {
+            additionalPatterns =
+              mkOption {
+                type = types.listOf types.str;
+                description = lib.mdDoc "Additional regex patterns used to find secrets. If there is a matching group in the regex the matched group will be tested for randomness before being reported as a secret.";
+                default = [ ];
+              };
+          };
+        };
+      };
       rome = mkOption {
         description = lib.mdDoc "rome hook";
         type = types.submodule {
@@ -2677,6 +2691,26 @@ in
           # all file names in a single run.
           require_serial = true;
         };
+      ripsecrets =
+        {
+          name = "ripsecrets";
+          description = "Prevent committing secret keys into your source code";
+          package = tools.ripsecrets;
+          entry =
+            let
+              cmdArgs = mkCmdArgs (
+                with hooks.ripsecrets.settings; [
+                  [ true "--strict-ignore" ]
+                  [
+                    (additionalPatterns != [ ])
+                    "--additional-pattern ${lib.strings.concatStringsSep " --additional-pattern " additionalPatterns}"
+                  ]
+                ]
+              );
+            in
+            "${hooks.ripsecrets.package}/bin/ripsecrets ${cmdArgs}";
+          types = [ "text" ];
+        };
       rome =
         {
           name = "rome";

diff --git a/nix/tools.nix b/nix/tools.nix
@@ -55,6 +55,7 @@
 , pre-commit-hook-ensure-sops ? null
 , python3Packages
 , php82Packages
+, ripsecrets ? null
 , ruff ? null
 , runCommand
 , rustfmt
@@ -135,6 +136,7 @@ in
     ormolu
     pre-commit-hook-ensure-sops
     revive
+    ripsecrets
     ruff
     rustfmt
     shellcheck