npm - push-sentinel - Versions diffs - 0.1.0 → 0.1.1 - Mend

push-sentinel 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/bin/cli.js CHANGED Viewed

@@ -100,8 +100,9 @@ switch (command) {
     const localSha = localShaIdx !== -1 ? args[localShaIdx + 1] : undefined;
     const remoteSha = remoteShaIdx !== -1 ? args[remoteShaIdx + 1] : undefined;
     const findings = scan(localSha, remoteSha);
-    report(findings);
-    if (blockOnHigh && hasHighFindings(findings)) {
+    const willBlock = blockOnHigh && hasHighFindings(findings);
+    report(findings, { willBlock });
+    if (willBlock) {
       process.stderr.write('\n[push-sentinel] Push blocked: HIGH severity secret(s) detected. Remove the secret or run `push-sentinel ignore` to suppress.\n');
       process.exit(1);
     }

package/hook-template.sh CHANGED Viewed

@@ -6,10 +6,14 @@
 #
 # We read each line and pass the SHAs explicitly so push-sentinel can compute
 # the exact range of commits being pushed (including new branch / first push).
+# Stdin is saved and re-supplied to pre-push.local so existing hooks still work.
 EXIT_CODE=0
+STDIN_DATA=""
 while read local_ref local_sha remote_ref remote_sha; do
+  STDIN_DATA="${STDIN_DATA}${local_ref} ${local_sha} ${remote_ref} ${remote_sha}
+"
   npx push-sentinel scan --local-sha "$local_sha" --remote-sha "$remote_sha"
   RESULT=$?
   if [ $RESULT -ne 0 ]; then
@@ -22,5 +26,5 @@ if [ $EXIT_CODE -ne 0 ]; then
 fi
 if [ -f "$(git rev-parse --git-dir)/hooks/pre-push.local" ]; then
-  "$(git rev-parse --git-dir)/hooks/pre-push.local" "$@"
+  echo "$STDIN_DATA" | "$(git rev-parse --git-dir)/hooks/pre-push.local" "$@"
 fi

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "push-sentinel",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Warns you if secrets are in your git diff before push.",
   "bin": {
     "push-sentinel": "bin/cli.js"

package/src/install.js CHANGED Viewed

@@ -33,10 +33,14 @@ ${SENTINEL_MARKER}
 #   <local-ref> <local-sha1> <remote-ref> <remote-sha1>
 # We forward the SHAs so push-sentinel can determine exactly which commits
 # are being pushed, including new branches (remote-sha = 0000...0000).
+# Stdin is saved and re-supplied to pre-push.local so existing hooks still work.
 EXIT_CODE=0
+STDIN_DATA=""
 while read local_ref local_sha remote_ref remote_sha; do
+  STDIN_DATA="${'$'}{STDIN_DATA}${'$'}{local_ref} ${'$'}{local_sha} ${'$'}{remote_ref} ${'$'}{remote_sha}
+"
   npx push-sentinel scan --local-sha "$local_sha" --remote-sha "$remote_sha"
   RESULT=$?
   if [ $RESULT -ne 0 ]; then
@@ -49,7 +53,7 @@ if [ $EXIT_CODE -ne 0 ]; then
 fi
 if [ -f "$(git rev-parse --git-dir)/hooks/pre-push.local" ]; then
-  "$(git rev-parse --git-dir)/hooks/pre-push.local" "$@"
+  echo "$STDIN_DATA" | "$(git rev-parse --git-dir)/hooks/pre-push.local" "$@"
 fi
 `;
 }

package/src/reporter.js CHANGED Viewed

@@ -13,7 +13,7 @@ function severityLabel(severity) {
   return `[${severity}]`;
 }
-function report(findings) {
+function report(findings, { willBlock = false } = {}) {
   if (findings.length === 0) {
     process.stderr.write('[push-sentinel] \u2713 No secrets detected.\n');
     return;
@@ -39,7 +39,11 @@ function report(findings) {
     process.stderr.write(`  + ${extra} more finding(s) not shown.\n\n`);
   }
-  process.stderr.write('  Push continues. Double-check before sharing.\n');
+  if (willBlock) {
+    process.stderr.write('  Push will be blocked.\n');
+  } else {
+    process.stderr.write('  Push continues. Double-check before sharing.\n');
+  }
 }
 function hasHighFindings(findings) {

package/src/scan.js CHANGED Viewed

@@ -55,33 +55,31 @@ function loadIgnoreRules(repoRoot) {
   return { lines, patterns };
 }
+// Check if a file path matches a single glob-style ignore rule
+function matchesGlob(filePath, rule) {
+  if (rule.endsWith('/**')) {
+    const dir = rule.slice(0, -3);
+    return filePath.startsWith(dir + '/') || filePath === dir;
+  }
+  if (rule.endsWith('*')) {
+    return filePath.startsWith(rule.slice(0, -1));
+  }
+  return false;
+}
 // Check if a file (regardless of line) matches any ignore rule
 function matchesIgnoreFile(filePath, ignoreLines) {
   for (const rule of ignoreLines) {
-    if (rule === filePath) return true;
-    if (rule.endsWith('/**')) {
-      const dir = rule.slice(0, -3);
-      if (filePath.startsWith(dir + '/') || filePath === dir) return true;
-    }
-    if (rule.endsWith('*')) {
-      if (filePath.startsWith(rule.slice(0, -1))) return true;
-    }
+    if (rule === filePath || matchesGlob(filePath, rule)) return true;
   }
   return false;
 }
-// Check if a file:line matches any ignore rule (simple glob support)
+// Check if a file:line matches any ignore rule
 function matchesIgnoreLine(filePath, lineNum, ignoreLines) {
   const target = `${filePath}:${lineNum}`;
   for (const rule of ignoreLines) {
-    if (rule === target) return true;
-    if (rule.endsWith('/**')) {
-      const dir = rule.slice(0, -3);
-      if (filePath.startsWith(dir + '/') || filePath === dir) return true;
-    }
-    if (rule.endsWith('*')) {
-      if (filePath.startsWith(rule.slice(0, -1))) return true;
-    }
+    if (rule === target || matchesGlob(filePath, rule)) return true;
   }
   return false;
 }