From b54aac8e39a0a0f2ccf8cd95aa747f4b3489bcf8 Mon Sep 17 00:00:00 2001 From: Joseph LaFreniere Date: Mon, 19 Feb 2024 11:11:24 -0600 Subject: [PATCH] Add ripsecrets hook --- modules/hooks.nix | 34 ++++++++++++++++++++++++++++++++++ nix/tools.nix | 2 ++ 2 files changed, 36 insertions(+) diff --git a/modules/hooks.nix b/modules/hooks.nix index 70b99009..021a5f4e 100644 --- a/modules/hooks.nix +++ b/modules/hooks.nix @@ -1222,6 +1222,20 @@ in }; }; }; + ripsecrets = mkOption { + description = lib.mdDoc "ripsecrets hook"; + type = types.submodule { + imports = hookModule; + options.settings = { + additionalPatterns = + mkOption { + type = types.listOf types.str; + description = lib.mdDoc "Additional regex patterns used to find secrets. If there is a matching group in the regex the matched group will be tested for randomness before being reported as a secret."; + default = [ ]; + }; + }; + }; + }; rome = mkOption { description = lib.mdDoc "rome hook"; type = types.submodule { @@ -2677,6 +2691,26 @@ in # all file names in a single run. require_serial = true; }; + ripsecrets = + { + name = "ripsecrets"; + description = "Prevent committing secret keys into your source code"; + package = tools.ripsecrets; + entry = + let + cmdArgs = mkCmdArgs ( + with hooks.ripsecrets.settings; [ + [ true "--strict-ignore" ] + [ + (additionalPatterns != [ ]) + "--additional-pattern ${lib.strings.concatStringsSep " --additional-pattern " additionalPatterns}" + ] + ] + ); + in + "${hooks.ripsecrets.package}/bin/ripsecrets ${cmdArgs}"; + types = [ "text" ]; + }; rome = { name = "rome"; diff --git a/nix/tools.nix b/nix/tools.nix index bf2c6152..a84af0df 100644 --- a/nix/tools.nix +++ b/nix/tools.nix @@ -55,6 +55,7 @@ , pre-commit-hook-ensure-sops ? null , python3Packages , php82Packages +, ripsecrets ? null , ruff ? null , runCommand , rustfmt @@ -135,6 +136,7 @@ in ormolu pre-commit-hook-ensure-sops revive + ripsecrets ruff rustfmt shellcheck