secure-husky-setup 1.0.0

package/Readme.md

@@ -0,0 +1,49 @@
+
+---
+
+```markdown
+# Secure Husky Setup
+
+Automatically installs and configures:
+
+- Husky (Git hooks)
+- Gitleaks (Secret scanning)
+- Pre-commit protection
+
+---
+
+## Install from GitHub
+
+Inside your project directory:
+
+```bash
+npm install --save-dev git+https://github.com/HUSAINTRIVEDI52/npm-package-husky-gitleaks.git
+```
+
+
+---
+
+## Initialize
+
+After installing, run:
+
+```bash
+npx secure-husky-setup init
+```
+
+This will:
+
+- Install Husky locally
+- Download Gitleaks locally
+- Configure the pre-commit hook
+
+---
+
+## Done
+
+Now every `git commit` will automatically scan for secrets.
+
+If secrets are detected, the commit will be blocked.
+
+---
+

package/bin/index.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+const { installHusky } = require('../lib/husky');
+const { installGitleaks } = require('../lib/gitleaks');
+const { installSonarScanner, setupSonarProperties } = require('../lib/sonarqube');
+const { setupPreCommitHook } = require('../lib/hooks');
+// Added by Arjun — import CI setup functions from the new lib/ci.js module
+const { setupPrePushHook, setupCIScript, setupCIWorkflow, validateProject, ensurePackageLock } = require('../lib/ci');
+const { isGitRepo } = require('../lib/git');
+const { logInfo, logError, logSuccess } = require('../lib/logger');
+
+const command = process.argv[2];
+
+(async () => {
+  if (command !== 'init') {
+    console.log("Usage: secure-husky-setup init");
+    process.exit(0);
+  }
+
+  try {
+    logInfo("Initializing secure git hooks...");
+
+    if (!await isGitRepo()) {
+      throw new Error("Not inside a git repository.");
+    }
+
+    // ── Existing steps — pre-commit hooks (no changes made here) ─────────────
+    await installHusky();
+    await installGitleaks();
+    await installSonarScanner();
+    await setupSonarProperties();
+    await setupPreCommitHook();
+
+    logSuccess("Secure Husky + Gitleaks + SonarQube setup completed.");
+    logInfo("Next step: edit sonar-project.properties and set sonar.host.url and sonar.token.");
+
+    // Added by Arjun — pre-push hook + GitHub Actions CI workflow setup ───────
+    // Runs Newman API tests and smoke tests automatically on every git push
+    logInfo("Setting up Newman & Smoke Test CI workflow...");
+
+    // Added by Arjun — ensure package-lock.json exists (required by npm ci in workflow)
+    await ensurePackageLock();
+
+    // Added by Arjun — validate package.json has "start" and "test" scripts
+    await validateProject();
+
+    // Added by Arjun — write standalone scripts/run-ci-checks.sh (all test logic lives here)
+    await setupCIScript();
+
+    // Added by Arjun — copy ci-tests.yml into .github/workflows/
+    await setupCIWorkflow();
+
+    // Added by Arjun — create .husky/pre-push hook (thin wrapper that calls run-ci-checks.sh)
+    await setupPrePushHook();
+
+    logSuccess("Newman + Smoke Test pre-push hook and GitHub Actions workflow setup completed.");
+    // ── End of Arjun's additions ──────────────────────────────────────────────
+
+  } catch (err) {
+    logError(err.message);
+    process.exit(1);
+  }
+})();

package/lib/ci.js

@@ -0,0 +1,323 @@
+'use strict';
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Added by Arjun
+// File: lib/ci.js
+// Purpose: Sets up Newman API tests + Smoke Tests as a pre-push git hook
+//          and copies the GitHub Actions CI workflow into the project.
+//
+// FLEXIBILITY NOTE:
+//   Test logic lives in scripts/run-ci-checks.sh (standalone script).
+//   The pre-push hook simply calls that script.
+//   To move tests to pre-commit in future, just add one line to pre-commit hook:
+//     ./scripts/run-ci-checks.sh
+//   No logic needs to be rewritten.
+//
+// New files introduced:
+//   - lib/ci.js                    (this file)
+//   - templates/ci-tests.yml       (GitHub Actions workflow template)
+// Changes made to existing files:
+//   - bin/index.js                 (4 new lines added — see comments there)
+// ─────────────────────────────────────────────────────────────────────────────
+
+const fs = require('fs-extra');
+const path = require('path');
+const { execSync } = require('child_process');
+const { logInfo, logSuccess, logError } = require('./logger');
+
+// Added by Arjun — path to the CI workflow template bundled with this package
+const TEMPLATE_PATH = path.resolve(__dirname, '../templates/ci-tests.yml');
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Added by Arjun — writes scripts/run-ci-checks.sh into the project
+// This is the STANDALONE script containing all test logic.
+// It can be called from pre-push, pre-commit, or any other hook.
+// ─────────────────────────────────────────────────────────────────────────────
+exports.setupCIScript = async () => {
+  const scriptsDir = path.join(process.cwd(), 'scripts');
+  const scriptPath = path.join(scriptsDir, 'run-ci-checks.sh');
+
+  await fs.ensureDir(scriptsDir);
+
+  if (await fs.pathExists(scriptPath)) {
+    logInfo("run-ci-checks.sh already exists — overwriting with latest version.");
+  } else {
+    logInfo("Creating scripts/run-ci-checks.sh...");
+  }
+
+  await fs.writeFile(scriptPath, buildCIScript());
+  await fs.chmod(scriptPath, 0o755);
+  logSuccess("scripts/run-ci-checks.sh created.");
+  logInfo("To move tests to pre-commit in future: add './scripts/run-ci-checks.sh' to .husky/pre-commit.");
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Added by Arjun — sets up .husky/pre-push hook
+// Simply calls run-ci-checks.sh — no logic lives here.
+// ─────────────────────────────────────────────────────────────────────────────
+exports.setupPrePushHook = async () => {
+  const huskyDir = path.join(process.cwd(), '.husky');
+  const hookPath = path.join(huskyDir, 'pre-push');
+
+  if (!await fs.pathExists(huskyDir)) {
+    logInfo("Husky directory not found. Skipping pre-push hook setup.");
+    return;
+  }
+
+  if (await fs.pathExists(hookPath)) {
+    logInfo("Pre-push hook already configured. Overwriting with latest setup...");
+  } else {
+    logInfo("Creating new pre-push hook...");
+  }
+
+  await fs.writeFile(hookPath, buildPrePushHook());
+  await fs.chmod(hookPath, 0o755);
+  logSuccess("Pre-push hook created — calls scripts/run-ci-checks.sh.");
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Added by Arjun — copies ci-tests.yml into .github/workflows/
+// ─────────────────────────────────────────────────────────────────────────────
+exports.setupCIWorkflow = async () => {
+  const targetDir  = path.join(process.cwd(), '.github', 'workflows');
+  const targetFile = path.join(targetDir, 'ci-tests.yml');
+
+  if (!await fs.pathExists(TEMPLATE_PATH)) {
+    logError("CI template not found. Please reinstall the package.");
+    return;
+  }
+
+  await fs.ensureDir(targetDir);
+
+  if (await fs.pathExists(targetFile)) {
+    logInfo("ci-tests.yml already exists — overwriting with latest version.");
+  } else {
+    logInfo("Creating .github/workflows/ci-tests.yml...");
+  }
+
+  await fs.copy(TEMPLATE_PATH, targetFile);
+  logSuccess("GitHub Actions workflow copied to .github/workflows/ci-tests.yml");
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Added by Arjun — validates package.json has required scripts
+// ─────────────────────────────────────────────────────────────────────────────
+exports.validateProject = async () => {
+  const pkgPath = path.join(process.cwd(), 'package.json');
+
+  if (!await fs.pathExists(pkgPath)) {
+    logError("No package.json found. Skipping validation.");
+    return;
+  }
+
+  const pkg = JSON.parse(await fs.readFile(pkgPath, 'utf-8'));
+  const scripts = pkg.scripts || {};
+
+  if (!scripts.start) {
+    logError('No "start" script in package.json — CI server boot will fail.');
+    logInfo('Add:  "start": "node index.js"');
+  }
+
+  if (!scripts.test) {
+    logError('No "test" script in package.json — smoke tests will fail.');
+    logInfo('Add:  "test": "jest"  (or your test runner)');
+  }
+
+  if (scripts.start && scripts.test) {
+    logSuccess('package.json has required "start" and "test" scripts.');
+  }
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Added by Arjun — ensures package-lock.json exists (required by npm ci)
+// ─────────────────────────────────────────────────────────────────────────────
+exports.ensurePackageLock = async () => {
+  const lockPath = path.join(process.cwd(), 'package-lock.json');
+  const yarnPath = path.join(process.cwd(), 'yarn.lock');
+
+  if (await fs.pathExists(lockPath) || await fs.pathExists(yarnPath)) {
+    logSuccess("Lock file found (package-lock.json / yarn.lock).");
+    return;
+  }
+
+  logInfo("No package-lock.json found — running npm install to generate it...");
+  try {
+    execSync('npm install', { stdio: 'inherit', cwd: process.cwd() });
+    logSuccess("package-lock.json generated. Remember to commit it.");
+  } catch {
+    logError("Failed to generate package-lock.json. Run npm install manually.");
+  }
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Pre-push hook — thin wrapper, just calls the standalone script
+// ─────────────────────────────────────────────────────────────────────────────
+function buildPrePushHook() {
+  return `#!/bin/sh
+
+# ---------------------------------------------------------------
+# Pre-push hook — Newman + Smoke Tests
+# Delegates all logic to scripts/run-ci-checks.sh
+#
+# To move tests to pre-commit in future:
+#   Remove this file and add this line to .husky/pre-commit:
+#   ./scripts/run-ci-checks.sh
+# ---------------------------------------------------------------
+
+./scripts/run-ci-checks.sh
+`;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Standalone CI checks script — ALL test logic lives here
+// Can be called from pre-push, pre-commit, CI, or manually:
+//   sh scripts/run-ci-checks.sh
+// ─────────────────────────────────────────────────────────────────────────────
+function buildCIScript() {
+  return `#!/bin/sh
+
+# ---------------------------------------------------------------
+# run-ci-checks.sh — Smoke Tests + Newman API Tests
+#
+# Called by .husky/pre-push by default.
+# To move to pre-commit: add './scripts/run-ci-checks.sh' to .husky/pre-commit
+# To run manually: sh scripts/run-ci-checks.sh
+# ---------------------------------------------------------------
+
+# ---------------------------------------------------------------
+# Git diff check — only run if actual files changed
+# ---------------------------------------------------------------
+LOCAL=$(git rev-parse @)
+REMOTE=$(git rev-parse @{u} 2>/dev/null)
+
+if [ "$REMOTE" != "" ] && [ "$LOCAL" = "$REMOTE" ]; then
+  echo "[CI Checks] No changes to push. Skipping."
+  exit 0
+fi
+
+if [ "$REMOTE" != "" ]; then
+  CHANGED=$(git diff --name-only "$REMOTE" "$LOCAL" 2>/dev/null)
+else
+  CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null)
+fi
+
+if [ -z "$CHANGED" ]; then
+  echo "[CI Checks] No changed files detected. Skipping."
+  exit 0
+fi
+
+echo ""
+echo "[CI Checks] Changed files detected:"
+echo "$CHANGED" | sed 's/^/  -> /'
+
+echo ""
+echo "[CI Checks] Starting checks..."
+
+# ---------------------------------------------------------------
+# Step 1: Smoke Tests
+# ---------------------------------------------------------------
+echo ""
+echo "[Smoke Tests] Starting server..."
+
+npm start &
+SERVER_PID=\$!
+
+for i in \$(seq 1 30); do
+  if curl -sf http://localhost:\${PORT:-3000}/health > /dev/null 2>&1 || \\
+     curl -sf http://localhost:\${PORT:-3000} > /dev/null 2>&1; then
+    echo "[Smoke Tests] Server is up."
+    break
+  fi
+  echo "[Smoke Tests] Waiting for server... (\$i/30)"
+  sleep 1
+done
+
+echo "[Smoke Tests] Running npm test..."
+npm test
+SMOKE_EXIT=\$?
+
+kill \$SERVER_PID 2>/dev/null
+
+if [ \$SMOKE_EXIT -ne 0 ]; then
+  echo "[Smoke Tests] Failed. Push blocked."
+  exit 1
+fi
+
+echo "[Smoke Tests] Passed. ✔"
+
+# ---------------------------------------------------------------
+# Step 2: Newman
+# ---------------------------------------------------------------
+echo ""
+echo "[Newman] Looking for Postman collections..."
+
+COLLECTIONS=\$(find . \\
+  -not -path '*/node_modules/*' \\
+  -not -path '*/.git/*' \\
+  -not -path '*/scripts/*' \\
+  \\( -name "*.postman_collection.json" -o -name "collection.json" \\) \\
+  2>/dev/null)
+
+if [ -z "\$COLLECTIONS" ]; then
+  echo "[Newman] No Postman collection found. Skipping."
+  exit 0
+fi
+
+if ! command -v newman > /dev/null 2>&1; then
+  echo "[Newman] Installing newman globally..."
+  npm install -g newman newman-reporter-htmlextra
+fi
+
+npm start &
+SERVER_PID=\$!
+
+for i in \$(seq 1 30); do
+  if curl -sf http://localhost:\${PORT:-3000}/health > /dev/null 2>&1 || \\
+     curl -sf http://localhost:\${PORT:-3000} > /dev/null 2>&1; then
+    echo "[Newman] Server is up."
+    break
+  fi
+  sleep 1
+done
+
+mkdir -p newman-reports
+
+ENV_FILE=\$(find . \\
+  -not -path '*/node_modules/*' \\
+  -not -path '*/.git/*' \\
+  -name "*.postman_environment.json" \\
+  2>/dev/null | head -1)
+
+NEWMAN_EXIT=0
+for COLLECTION in \$COLLECTIONS; do
+  REPORT_NAME=\$(basename "\$COLLECTION" .json)
+  echo "[Newman] Running: \$COLLECTION"
+
+  ENV_FLAG=""
+  if [ -n "\$ENV_FILE" ]; then
+    ENV_FLAG="--environment \$ENV_FILE"
+  fi
+
+  newman run "\$COLLECTION" \\
+    \$ENV_FLAG \\
+    --env-var "baseUrl=http://localhost:\${PORT:-3000}" \\
+    --reporters cli,htmlextra \\
+    --reporter-htmlextra-export "newman-reports/\${REPORT_NAME}-report.html" \\
+    --bail
+
+  if [ \$? -ne 0 ]; then
+    NEWMAN_EXIT=1
+  fi
+done
+
+kill \$SERVER_PID 2>/dev/null
+
+if [ \$NEWMAN_EXIT -ne 0 ]; then
+  echo "[Newman] One or more collections failed. Push blocked."
+  exit 1
+fi
+
+echo "[Newman] All collections passed. ✔"
+exit 0
+`;
+}

package/lib/git.js

@@ -0,0 +1,7 @@
+const fs = require('fs');
+const path = require('path');
+
+exports.isGitRepo = async () => {
+  const gitPath = path.join(process.cwd(), '.git');
+  return fs.existsSync(gitPath);
+};

package/lib/gitleaks.js

@@ -0,0 +1,111 @@
+const fs = require('fs-extra');
+const path = require('path');
+const execa = require('execa');
+const https = require('https');
+const { logInfo, logSuccess } = require('./logger');
+
+const VERSION = "8.18.0";
+
+// Added by Arjun — detect the correct gitleaks binary for the current OS and architecture
+function getPlatformAsset() {
+  const platform = process.platform;
+  const arch = process.arch;
+
+  const archMap = {
+    x64:   'x64',
+    arm64: 'arm64',
+    arm:   'armv7',
+  };
+
+  const gitleaksArch = archMap[arch] || 'x64';
+
+  if (platform === 'darwin') {
+    return { filename: `gitleaks_${VERSION}_darwin_${gitleaksArch}.tar.gz`, extract: 'tar' };
+  }
+
+  if (platform === 'win32') {
+    return { filename: `gitleaks_${VERSION}_windows_${gitleaksArch}.zip`, extract: 'zip' };
+  }
+
+  return { filename: `gitleaks_${VERSION}_linux_${gitleaksArch}.tar.gz`, extract: 'tar' };
+}
+
+// Added by Arjun — automatically add entries to .gitignore if missing
+async function ensureGitignoreEntries(entries) {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+
+  let content = '';
+  if (await fs.pathExists(gitignorePath)) {
+    content = await fs.readFile(gitignorePath, 'utf-8');
+  }
+
+  const added = [];
+  for (const entry of entries) {
+    if (!content.includes(entry)) {
+      content += `\n${entry}`;
+      added.push(entry);
+    }
+  }
+
+  if (added.length > 0) {
+    await fs.writeFile(gitignorePath, content);
+    logInfo(`.gitignore updated — added: ${added.join(', ')}`);
+  }
+}
+
+exports.installGitleaks = async () => {
+  const toolsDir    = path.join(process.cwd(), '.tools');
+  const gitleaksDir = path.join(toolsDir, 'gitleaks');
+  const binaryPath  = path.join(gitleaksDir, 'gitleaks');
+
+  if (await fs.pathExists(binaryPath)) {
+    logInfo("Gitleaks already installed locally.");
+    return;
+  }
+
+  logInfo("Installing Gitleaks locally...");
+  await fs.ensureDir(gitleaksDir);
+
+  // Added by Arjun — use platform-aware asset instead of hardcoded linux_x64
+  const { filename, extract } = getPlatformAsset();
+  const url      = `https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/${filename}`;
+  const destPath = path.join(gitleaksDir, filename);
+
+  logInfo(`Downloading ${filename}...`);
+  await downloadFile(url, destPath);
+
+  // Added by Arjun — handle both tar.gz (mac/linux) and zip (windows)
+  if (extract === 'tar') {
+    await execa('tar', ['-xzf', destPath, '-C', gitleaksDir]);
+  } else {
+    await execa('unzip', ['-o', destPath, '-d', gitleaksDir]);
+  }
+
+  await fs.remove(destPath);
+  await fs.chmod(binaryPath, 0o755);
+
+  // Added by Arjun — automatically add .tools/ and node_modules/ to .gitignore
+  // .tools/       → prevents gitleaks binary from being staged and scanned
+  // node_modules/ → prevents dependencies from being committed to git
+  await ensureGitignoreEntries(['.tools/', 'node_modules/']);
+
+  logSuccess("Gitleaks installed locally.");
+};
+
+function downloadFile(url, dest) {
+  return new Promise((resolve, reject) => {
+    const request = https.get(url, { headers: { 'User-Agent': 'node' } }, (response) => {
+      if (response.statusCode >= 300 && response.statusCode < 400 && response.headers.location) {
+        return downloadFile(response.headers.location, dest).then(resolve).catch(reject);
+      }
+      if (response.statusCode !== 200) {
+        return reject(new Error(`Download failed with status code ${response.statusCode}`));
+      }
+      const file = fs.createWriteStream(dest);
+      response.pipe(file);
+      file.on('finish', () => file.close(resolve));
+      file.on('error', reject);
+    });
+    request.on('error', reject);
+  });
+}

package/lib/hooks.js

@@ -0,0 +1,112 @@
+const fs = require('fs-extra');
+const path = require('path');
+const { logInfo, logSuccess } = require('./logger');
+
+exports.setupPreCommitHook = async () => {
+  const huskyDir = path.join(process.cwd(), '.husky');
+  const hookPath = path.join(huskyDir, 'pre-commit');
+
+  if (!await fs.pathExists(huskyDir)) {
+    logInfo("Husky directory not found. Skipping hook setup.");
+    return;
+  }
+
+  const hookContent = buildHookScript();
+
+  if (await fs.pathExists(hookPath)) {
+    logInfo("Pre-commit hook already configured. Overwriting with latest setup...");
+  } else {
+    logInfo("Creating new pre-commit hook...");
+  }
+
+  await fs.writeFile(hookPath, hookContent);
+  await fs.chmod(hookPath, 0o755);
+
+  const gitleaksIgnorePath = path.join(process.cwd(), '.gitleaksignore');
+  await fs.writeFile(gitleaksIgnorePath, '.tools/\nsonar-project.properties\n');
+  logInfo(".gitleaksignore created — excluding .tools/ and sonar-project.properties.");
+
+  logSuccess("Pre-commit hook created with Gitleaks + SonarQube (git diff only).");
+};
+
+function buildHookScript() {
+  return `#!/bin/sh
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+  echo "No changed files detected. Skipping checks."
+  exit 0
+fi
+
+echo "[Git Diff] Changed files in this commit:"
+echo "$STAGED_FILES" | while IFS= read -r FILE; do
+  echo "  -> $FILE"
+done
+
+echo ""
+echo "[Gitleaks] Scanning changed files for secrets..."
+
+GITLEAKS_BIN="./.tools/gitleaks/gitleaks"
+
+if [ ! -f "$GITLEAKS_BIN" ]; then
+  echo "[Gitleaks] Binary not found. Skipping."
+else
+  GITLEAKS_TMPDIR=$(mktemp -d)
+
+  echo "$STAGED_FILES" | while IFS= read -r FILE; do
+    case "$FILE" in
+      sonar-project.properties) ;;
+      .tools/*) ;;
+      *)
+        if [ -f "$FILE" ]; then
+          DEST="$GITLEAKS_TMPDIR/$FILE"
+          mkdir -p "$(dirname "$DEST")"
+          cp "$FILE" "$DEST"
+        fi
+        ;;
+    esac
+  done
+
+  $GITLEAKS_BIN detect --source "$GITLEAKS_TMPDIR" --no-git --verbose
+  GITLEAKS_EXIT=$?
+  rm -rf "$GITLEAKS_TMPDIR"
+
+  if [ $GITLEAKS_EXIT -ne 0 ]; then
+    echo "[Gitleaks] Secrets detected! Commit blocked."
+    exit 1
+  fi
+
+  echo "[Gitleaks] No secrets found."
+fi
+
+echo ""
+echo "[SonarQube] Scanning changed files..."
+
+SONAR_BIN="./node_modules/.bin/sonar-scanner"
+
+if [ ! -f "$SONAR_BIN" ]; then
+  echo "[SonarQube] sonar-scanner not found. Skipping."
+else
+  if [ ! -f "sonar-project.properties" ]; then
+    echo "[SonarQube] sonar-project.properties not found. Skipping."
+  else
+    SONAR_INCLUSIONS=$(echo "$STAGED_FILES" | tr '\n' ',' | sed 's/,$//')
+    echo "[SonarQube] Scanning: $SONAR_INCLUSIONS"
+
+    $SONAR_BIN -Dsonar.inclusions="$SONAR_INCLUSIONS" -Dsonar.qualitygate.wait=true
+    SONAR_EXIT=$?
+
+    if [ $SONAR_EXIT -ne 0 ]; then
+      echo "[SonarQube] Quality Gate FAILED. Commit blocked."
+      echo "[SonarQube] Fix the issues at: $(grep 'sonar.host.url' sonar-project.properties | cut -d'=' -f2)/dashboard?id=$(grep 'sonar.projectKey' sonar-project.properties | cut -d'=' -f2)"
+      exit 1
+    fi
+
+    echo "[SonarQube] Quality Gate PASSED. ✔"
+  fi
+fi
+
+exit 0
+`;
+}

package/lib/husky.js

@@ -0,0 +1,27 @@
+const { fileExists, readJSON, writeJSON } = require('./utils');
+const { installDevDependency } = require('./packageManager');
+const execa = require('execa');
+const path = require('path');
+const fs = require('fs-extra');
+const { logInfo, logSuccess } = require('./logger');
+
+exports.installHusky = async () => {
+  const pkgPath = path.join(process.cwd(), 'package.json');
+  const pkg = await readJSON(pkgPath);
+
+  if (!pkg.devDependencies || !pkg.devDependencies.husky) {
+    logInfo("Installing Husky...");
+    await installDevDependency('husky');
+  }
+
+  logInfo("Initializing Husky...");
+  await execa('npx', ['husky', 'install'], { stdio: 'inherit' });
+
+  if (!pkg.scripts) pkg.scripts = {};
+
+  if (!pkg.scripts.prepare) {
+    pkg.scripts.prepare = "husky install";
+    await writeJSON(pkgPath, pkg);
+    logSuccess("Added prepare script.");
+  }
+};

package/lib/logger.js

@@ -0,0 +1,5 @@
+const chalk = require('chalk');
+
+exports.logInfo = (msg) => console.log(chalk.blue(`ℹ ${msg}`));
+exports.logSuccess = (msg) => console.log(chalk.green(`✔ ${msg}`));
+exports.logError = (msg) => console.log(chalk.red(`✖ ${msg}`));

package/lib/packageManager.js

@@ -0,0 +1,5 @@
+const execa = require('execa');
+
+exports.installDevDependency = async (pkg) => {
+  await execa('npm', ['install', pkg, '--save-dev'], { stdio: 'inherit' });
+};

package/lib/sonarqube.js

@@ -0,0 +1,102 @@
+const fs = require('fs-extra');
+const path = require('path');
+const http = require('http');
+const { logInfo, logSuccess } = require('./logger');
+const { installDevDependency } = require('./packageManager');
+
+const SONAR_PROPS_FILE = 'sonar-project.properties';
+
+// ---------------------------------------------------------------
+// SonarQube server configuration
+// Currently pointing to local Docker instance for testing
+// Switch to GCP later by changing SONAR_HOST_URL and SONAR_TOKEN
+// ---------------------------------------------------------------
+const SONAR_HOST_URL = 'http://192.168.1.72:9000';
+const SONAR_TOKEN    = 'sqa_57476a8e9fe67dcdddfbe5a146a681c9373a3ab8';
+// const SONAR_ORG   = 'arjunlatiwala'; // only needed for SonarCloud
+
+// Auto-create project on SonarQube via API so developer never needs to do it manually
+async function ensureProjectExists(projectKey, projectName) {
+  return new Promise((resolve) => {
+    const auth = Buffer.from(`${SONAR_TOKEN}:`).toString('base64');
+    const postData = `name=${encodeURIComponent(projectName)}&project=${encodeURIComponent(projectKey)}`;
+
+    const options = {
+      hostname: '192.168.1.72',
+      port: 9000,
+      path: '/api/projects/create',
+      method: 'POST',
+      headers: {
+        'Authorization': `Basic ${auth}`,
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Content-Length': Buffer.byteLength(postData)
+      }
+    };
+
+    const req = http.request(options, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        if (res.statusCode === 200 || res.statusCode === 201) {
+          logSuccess(`SonarQube project "${projectKey}" created automatically.`);
+        } else if (res.statusCode === 400 && data.includes('already exists')) {
+          logInfo(`SonarQube project "${projectKey}" already exists.`);
+        } else {
+          logInfo(`SonarQube project setup: ${res.statusCode} — continuing anyway.`);
+        }
+        resolve();
+      });
+    });
+
+    req.on('error', (err) => {
+      logInfo(`SonarQube server unreachable — skipping project creation. (${err.message})`);
+      resolve();
+    });
+
+    req.write(postData);
+    req.end();
+  });
+}
+
+exports.installSonarScanner = async () => {
+  logInfo('Installing sonarqube-scanner as a dev dependency...');
+  await installDevDependency('sonarqube-scanner');
+  logSuccess('sonarqube-scanner installed.');
+};
+
+exports.setupSonarProperties = async () => {
+  const propsPath = path.join(process.cwd(), SONAR_PROPS_FILE);
+
+  const pkgPath = path.join(process.cwd(), 'package.json');
+  let projectKey  = 'my-project';
+  let projectName = 'My Project';
+
+  if (await fs.pathExists(pkgPath)) {
+    const pkg = await fs.readJSON(pkgPath);
+    if (pkg.name) {
+      projectKey  = pkg.name.replace(/[^a-zA-Z0-9_\-.:]/g, '_');
+      projectName = pkg.name;
+    }
+  }
+
+  // Auto-create project so developer never needs to do it manually
+  logInfo(`Setting up SonarQube project "${projectKey}"...`);
+  await ensureProjectExists(projectKey, projectName);
+
+  const content = `# ---------------------------------------------------------------
+# SonarQube configuration — auto-generated by secure-husky-setup
+# Do not edit manually
+# ---------------------------------------------------------------
+sonar.host.url=${SONAR_HOST_URL}
+sonar.login=${SONAR_TOKEN}
+sonar.projectKey=${projectKey}
+sonar.projectName=${projectName}
+sonar.projectVersion=1.0
+sonar.sources=.
+sonar.sourceEncoding=UTF-8
+sonar.exclusions=node_modules/**,dist/**,build/**,coverage/**,.husky/**,.tools/**
+`;
+
+  await fs.writeFile(propsPath, content);
+  logSuccess(`${SONAR_PROPS_FILE} configured automatically.`);
+};

package/lib/utils.js

@@ -0,0 +1,13 @@
+const fs = require('fs-extra');
+
+exports.fileExists = async (path) => {
+  return await fs.pathExists(path);
+};
+
+exports.readJSON = async (path) => {
+  return await fs.readJSON(path);
+};
+
+exports.writeJSON = async (path, data) => {
+  return await fs.writeJSON(path, data, { spaces: 2 });
+};

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "secure-husky-setup",
+  "version": "1.0.0",
+  "description": "Automatic Husky + Gitleaks setup for any JS project",
+  "main": "bin/index.js",
+  "bin": {
+    "secure-husky-setup": "./bin/index.js"
+  },
+  "keywords": [
+    "husky",
+    "gitleaks",
+    "git-hooks",
+    "security"
+  ],
+  "author": "Your Name",
+  "license": "MIT",
+  "files": ["bin", "lib", "templates"],
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "execa": "^5.1.1",
+    "fs-extra": "^11.3.3",
+    "sonarqube-scanner": "^4.0.0"
+  }
+}

package/templates/ci-tests.yml

@@ -0,0 +1,163 @@
+name: CI - Newman & Smoke Tests
+
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  # ─────────────────────────────────────────
+  # JOB 1: Node.js Smoke Tests
+  # ─────────────────────────────────────────
+  smoke-tests:
+    name: 🔥 Smoke Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project (if applicable)
+        run: |
+          if [ "$(node -e "const p=require('./package.json'); console.log(!!p.scripts?.build)")" = "true" ]; then
+            npm run build
+          else
+            echo "No build script found, skipping."
+          fi
+
+      - name: Start server in background
+        run: |
+          npm start &
+          echo "SERVER_PID=$!" >> $GITHUB_ENV
+          for i in $(seq 1 30); do
+            if curl -sf http://localhost:${PORT:-3000}/health > /dev/null 2>&1 || \
+               curl -sf http://localhost:${PORT:-3000} > /dev/null 2>&1; then
+              echo "✅ Server is up!"
+              break
+            fi
+            echo "Waiting for server... ($i/30)"
+            sleep 1
+          done
+        env:
+          NODE_ENV: test
+          PORT: ${{ vars.PORT || 3000 }}
+
+      - name: Run smoke tests
+        run: npm test
+        env:
+          NODE_ENV: test
+          PORT: ${{ vars.PORT || 3000 }}
+
+      - name: Stop server
+        if: always()
+        run: |
+          if [ -n "$SERVER_PID" ]; then
+            kill $SERVER_PID || true
+          fi
+
+  # ─────────────────────────────────────────
+  # JOB 2: Newman (Postman Collection) Tests
+  # ─────────────────────────────────────────
+  newman-tests:
+    name: 📬 Newman API Tests
+    runs-on: ubuntu-latest
+    needs: smoke-tests
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install Newman & reporters
+        run: npm install -g newman newman-reporter-htmlextra
+
+      - name: Start server in background
+        run: |
+          npm start &
+          echo "SERVER_PID=$!" >> $GITHUB_ENV
+          for i in $(seq 1 30); do
+            if curl -sf http://localhost:${PORT:-3000}/health > /dev/null 2>&1 || \
+               curl -sf http://localhost:${PORT:-3000} > /dev/null 2>&1; then
+              echo "✅ Server is up!"
+              break
+            fi
+            echo "Waiting for server... ($i/30)"
+            sleep 1
+          done
+        env:
+          NODE_ENV: test
+          PORT: ${{ vars.PORT || 3000 }}
+
+      - name: Find and run Postman collections
+        run: |
+          mkdir -p newman-reports
+
+          COLLECTIONS=$(find . \
+            -not -path '*/node_modules/*' \
+            -not -path '*/.git/*' \
+            \( -name "*.postman_collection.json" -o -name "collection.json" \) \
+            2>/dev/null)
+
+          if [ -z "$COLLECTIONS" ]; then
+            echo "⚠️ No Postman collection files found!"
+            exit 1
+          fi
+
+          ENV_FILE=$(find . \
+            -not -path '*/node_modules/*' \
+            -not -path '*/.git/*' \
+            -name "*.postman_environment.json" \
+            2>/dev/null | head -1)
+
+          for COLLECTION in $COLLECTIONS; do
+            REPORT_NAME=$(basename "$COLLECTION" .json)
+            echo "▶️ Running collection: $COLLECTION"
+
+            ENV_FLAG=""
+            if [ -n "$ENV_FILE" ]; then
+              ENV_FLAG="--environment $ENV_FILE"
+            fi
+
+            newman run "$COLLECTION" \
+              $ENV_FLAG \
+              --env-var "baseUrl=http://localhost:${PORT:-3000}" \
+              --reporters cli,htmlextra \
+              --reporter-htmlextra-export "newman-reports/${REPORT_NAME}-report.html" \
+              --reporter-htmlextra-title "${REPORT_NAME} Test Report" \
+              --bail
+          done
+        env:
+          NODE_ENV: test
+          PORT: ${{ vars.PORT || 3000 }}
+
+      - name: Upload Newman HTML reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: newman-test-reports
+          path: newman-reports/
+          retention-days: 14
+
+      - name: Stop server
+        if: always()
+        run: |
+          if [ -n "$SERVER_PID" ]; then
+            kill $SERVER_PID || true
+          fi