secure-husky-setup 1.0.13 → 1.0.15

package/lib/ci.js

@@ -8,7 +8,6 @@ const { logInfo, logSuccess, logError } = require('./logger');
 const TEMPLATE_PATH = path.resolve(__dirname, '../templates/ci-tests.yml');
 
 exports.setupCIScript = async (gitRoot) => {
-  const projectDir = path.relative(gitRoot, process.cwd()) || '.';
   const scriptsDir = path.join(process.cwd(), 'scripts');
   const scriptPath = path.join(scriptsDir, 'run-ci-checks.sh');
 
@@ -20,7 +19,7 @@ exports.setupCIScript = async (gitRoot) => {
     logInfo("Creating scripts/run-ci-checks.sh...");
   }
 
-  await fs.writeFile(scriptPath, buildCIScript(projectDir));
+  await fs.writeFile(scriptPath, buildCIScript());
   await fs.chmod(scriptPath, 0o755);
   logSuccess("scripts/run-ci-checks.sh created.");
   logInfo("To move tests to pre-commit in future: add './scripts/run-ci-checks.sh' to .husky/pre-commit.");
@@ -35,6 +34,7 @@ exports.setupPrePushHook = async (gitRoot) => {
     return;
   }
 
+  // relative path from gitRoot to project e.g. "server" or "."
   const projectDir = path.relative(gitRoot, process.cwd()) || '.';
 
   if (await fs.pathExists(hookPath)) {
@@ -114,26 +114,31 @@ exports.ensurePackageLock = async () => {
 };
 
 function buildPrePushHook(projectDir) {
+  // pre-push hook runs from git root
+  // if project is in a subfolder, cd into it first so npm start/test work correctly
+  // but git commands (rev-parse) in run-ci-checks.sh work from git root
   const cdLine = projectDir !== '.' ? `cd "${projectDir}"` : '';
   return `#!/bin/sh
 
-# Pre-push hook — Newman + Smoke Tests
-${cdLine ? cdLine + '\n' : ''}
-./scripts/run-ci-checks.sh
+# Pre-push hook — runs from git root
+# cd into project subfolder so npm commands work
+${cdLine ? cdLine + '\n' : ''}./scripts/run-ci-checks.sh
 `;
 }
 
-function buildCIScript(projectDir) {
+function buildCIScript() {
+  // This script runs from project directory (after cd in pre-push hook)
+  // git commands use GIT_DIR env or walk up to find .git automatically
   return `#!/bin/sh
 
 # ---------------------------------------------------------------
-# run-ci-checks.sh — Smoke Tests + Newman API Tests
+# run-ci-checks.sh
+# Runs from project directory. Git commands work because git
+# automatically finds .git by walking up the directory tree.
 # ---------------------------------------------------------------
 
-# ---------------------------------------------------------------
 # Git diff check — only run if actual files changed
-# ---------------------------------------------------------------
-LOCAL=$(git rev-parse @)
+LOCAL=$(git rev-parse @ 2>/dev/null)
 REMOTE=$(git rev-parse @{u} 2>/dev/null)
 
 if [ "$REMOTE" != "" ] && [ "$LOCAL" = "$REMOTE" ]; then
@@ -155,130 +160,124 @@ fi
 echo ""
 echo "[CI Checks] Changed files detected:"
 echo "$CHANGED" | sed 's/^/  -> /'
-
 echo ""
 echo "[CI Checks] Starting checks..."
 
-# ---------------------------------------------------------------
 # Check if start and test scripts exist
-# ---------------------------------------------------------------
 START_SCRIPT=$(node -e "try{const p=require('./package.json');console.log(p.scripts&&p.scripts.start?'yes':'no')}catch(e){console.log('no')}" 2>/dev/null)
 TEST_SCRIPT=$(node -e "try{const p=require('./package.json');console.log(p.scripts&&p.scripts.test?'yes':'no')}catch(e){console.log('no')}" 2>/dev/null)
 
 if [ "$START_SCRIPT" = "no" ]; then
   echo "[Smoke Tests] No start script in package.json — skipping smoke tests."
-else
+  exit 0
+fi
 
-  # ---------------------------------------------------------------
-  # Step 1: Smoke Tests — start server + run tests
-  # ---------------------------------------------------------------
-  echo ""
-  echo "[Smoke Tests] Starting server..."
-
-  npm start &
-  SERVER_PID=\$!
-
-  # Auto-detect port — tries all common ports
-  SERVER_UP=0
-  for i in \$(seq 1 30); do
-    for PORT_TRY in 3000 5000 8000 8080 4000 4200 3001 8081 1337 9000; do
-      if curl -sf http://localhost:\$PORT_TRY > /dev/null 2>&1; then
-        PORT=\$PORT_TRY
-        SERVER_UP=1
-        echo "[Smoke Tests] Server is up on port \$PORT."
-        break 2
-      fi
-    done
-    echo "[Smoke Tests] Waiting for server... (\$i/30)"
-    sleep 1
+# ---------------------------------------------------------------
+# Smoke Tests — start server + run tests
+# ---------------------------------------------------------------
+echo ""
+echo "[Smoke Tests] Starting server..."
+
+npm start &
+SERVER_PID=\$!
+
+# Auto-detect port
+SERVER_UP=0
+for i in \$(seq 1 30); do
+  for PORT_TRY in 3000 5000 8000 8080 4000 4200 3001 8081 1337; do
+    if curl -sf http://localhost:\$PORT_TRY > /dev/null 2>&1; then
+      PORT=\$PORT_TRY
+      SERVER_UP=1
+      echo "[Smoke Tests] Server is up on port \$PORT."
+      break 2
+    fi
   done
+  echo "[Smoke Tests] Waiting for server... (\$i/30)"
+  sleep 1
+done
 
-  if [ \$SERVER_UP -eq 0 ]; then
-    echo "[Smoke Tests] Server did not start in time. Aborting."
+if [ \$SERVER_UP -eq 0 ]; then
+  echo "[Smoke Tests] Server did not start in time. Aborting."
+  kill \$SERVER_PID 2>/dev/null
+  exit 1
+fi
+
+if [ "$TEST_SCRIPT" = "no" ]; then
+  echo "[Smoke Tests] No test script in package.json — skipping npm test."
+else
+  echo "[Smoke Tests] Running npm test..."
+  npm test
+  SMOKE_EXIT=\$?
+  if [ \$SMOKE_EXIT -ne 0 ]; then
     kill \$SERVER_PID 2>/dev/null
+    echo "[Smoke Tests] Failed. Push blocked."
     exit 1
   fi
+  echo "[Smoke Tests] Passed. ✔"
+fi
 
-  if [ "$TEST_SCRIPT" = "no" ]; then
-    echo "[Smoke Tests] No test script in package.json — skipping npm test."
-  else
-    echo "[Smoke Tests] Running npm test..."
-    npm test
-    SMOKE_EXIT=\$?
-
-    if [ \$SMOKE_EXIT -ne 0 ]; then
-      kill \$SERVER_PID 2>/dev/null
-      echo "[Smoke Tests] Failed. Push blocked."
-      exit 1
-    fi
-    echo "[Smoke Tests] Passed. ✔"
-  fi
-
-  # ---------------------------------------------------------------
-  # Step 2: Newman API Tests
-  # ---------------------------------------------------------------
-  echo ""
-  echo "[Newman] Looking for Postman collections..."
-
-  COLLECTIONS=\$(find . \\
-    -not -path '*/node_modules/*' \\
-    -not -path '*/.git/*' \\
-    -not -path '*/scripts/*' \\
-    \\( -name "*.postman_collection.json" -o -name "collection.json" \\) \\
-    2>/dev/null)
-
-  if [ -z "\$COLLECTIONS" ]; then
-    echo "[Newman] No Postman collection found. Skipping."
-    kill \$SERVER_PID 2>/dev/null
-    exit 0
-  fi
+# ---------------------------------------------------------------
+# Newman API Tests
+# ---------------------------------------------------------------
+echo ""
+echo "[Newman] Looking for Postman collections..."
 
-  if ! command -v newman > /dev/null 2>&1; then
-    echo "[Newman] Installing newman globally..."
-    npm install -g newman newman-reporter-htmlextra 2>/dev/null || true
-  fi
+COLLECTIONS=\$(find . \\
+  -not -path '*/node_modules/*' \\
+  -not -path '*/.git/*' \\
+  -not -path '*/scripts/*' \\
+  \\( -name "*.postman_collection.json" -o -name "collection.json" \\) \\
+  2>/dev/null)
 
-  mkdir -p newman-reports
+if [ -z "\$COLLECTIONS" ]; then
+  echo "[Newman] No Postman collection found. Skipping."
+  kill \$SERVER_PID 2>/dev/null
+  exit 0
+fi
 
-  ENV_FILE=\$(find . \\
-    -not -path '*/node_modules/*' \\
-    -not -path '*/.git/*' \\
-    -name "*.postman_environment.json" \\
-    2>/dev/null | head -1)
+if ! command -v newman > /dev/null 2>&1; then
+  echo "[Newman] Installing newman..."
+  npm install -g newman newman-reporter-htmlextra 2>/dev/null || true
+fi
 
-  NEWMAN_EXIT=0
-  for COLLECTION in \$COLLECTIONS; do
-    REPORT_NAME=\$(basename "\$COLLECTION" .json)
-    echo "[Newman] Running: \$COLLECTION"
+mkdir -p newman-reports
 
-    ENV_FLAG=""
-    if [ -n "\$ENV_FILE" ]; then
-      ENV_FLAG="--environment \$ENV_FILE"
-    fi
+ENV_FILE=\$(find . \\
+  -not -path '*/node_modules/*' \\
+  -not -path '*/.git/*' \\
+  -name "*.postman_environment.json" \\
+  2>/dev/null | head -1)
 
-    newman run "\$COLLECTION" \\
-      \$ENV_FLAG \\
-      --env-var "baseUrl=http://localhost:\${PORT:-3000}" \\
-      --reporters cli,htmlextra \\
-      --reporter-htmlextra-export "newman-reports/\${REPORT_NAME}-report.html" \\
-      --bail
+NEWMAN_EXIT=0
+for COLLECTION in \$COLLECTIONS; do
+  REPORT_NAME=\$(basename "\$COLLECTION" .json)
+  echo "[Newman] Running: \$COLLECTION"
 
-    if [ \$? -ne 0 ]; then
-      NEWMAN_EXIT=1
-    fi
-  done
+  ENV_FLAG=""
+  if [ -n "\$ENV_FILE" ]; then
+    ENV_FLAG="--environment \$ENV_FILE"
+  fi
 
-  kill \$SERVER_PID 2>/dev/null
+  newman run "\$COLLECTION" \\
+    \$ENV_FLAG \\
+    --env-var "baseUrl=http://localhost:\${PORT:-3000}" \\
+    --reporters cli,htmlextra \\
+    --reporter-htmlextra-export "newman-reports/\${REPORT_NAME}-report.html" \\
+    --bail
 
-  if [ \$NEWMAN_EXIT -ne 0 ]; then
-    echo "[Newman] One or more collections failed. Push blocked."
-    exit 1
+  if [ \$? -ne 0 ]; then
+    NEWMAN_EXIT=1
   fi
+done
 
-  echo "[Newman] All collections passed. ✔"
+kill \$SERVER_PID 2>/dev/null
 
+if [ \$NEWMAN_EXIT -ne 0 ]; then
+  echo "[Newman] One or more collections failed. Push blocked."
+  exit 1
 fi
 
+echo "[Newman] All collections passed. ✔"
 exit 0
 `;
 }

package/lib/hooks.js

@@ -11,10 +11,7 @@ exports.setupPreCommitHook = async (gitRoot) => {
     return;
   }
 
-  // projectDir = where package.json, sonar-project.properties, .tools/ live
-  // This is relative path from gitRoot to project (e.g. "server" or ".")
   const projectDir = path.relative(gitRoot, process.cwd()) || '.';
-
   const hookContent = buildHookScript(projectDir);
 
   if (await fs.pathExists(hookPath)) {
@@ -26,7 +23,6 @@ exports.setupPreCommitHook = async (gitRoot) => {
   await fs.writeFile(hookPath, hookContent);
   await fs.chmod(hookPath, 0o755);
 
-  // .gitleaksignore goes in the project dir, not git root
   const gitleaksIgnorePath = path.join(process.cwd(), '.gitleaksignore');
   await fs.writeFile(gitleaksIgnorePath, '.tools/\nsonar-project.properties\n');
   logInfo(".gitleaksignore created — excluding .tools/ and sonar-project.properties.");
@@ -35,22 +31,34 @@ exports.setupPreCommitHook = async (gitRoot) => {
 };
 
 function buildHookScript(projectDir) {
-  // If project is in a subfolder, all tool paths must be prefixed
-  const cdLine = projectDir !== '.' ? `cd "${projectDir}"` : '';
+  // All paths relative to git root — NO cd at top level
+  // sonar-scanner runs in a subshell cd'd into project dir so it finds sonar-project.properties
   const gitleaksBin = projectDir !== '.'
     ? `./${projectDir}/.tools/gitleaks/gitleaks`
     : `./.tools/gitleaks/gitleaks`;
-  const sonarBin = projectDir !== '.'
-    ? `./${projectDir}/node_modules/.bin/sonar-scanner`
-    : `./node_modules/.bin/sonar-scanner`;
-  const sonarProps = projectDir !== '.'
+
+  // subshell cd for sonar so properties file is found correctly
+  const sonarSubshell = projectDir !== '.'
+    ? `(cd "./${projectDir}" && ./node_modules/.bin/sonar-scanner -Dsonar.qualitygate.wait=true)`
+    : `(./node_modules/.bin/sonar-scanner -Dsonar.qualitygate.wait=true)`;
+
+  const sonarPropsCheck = projectDir !== '.'
     ? `./${projectDir}/sonar-project.properties`
     : `./sonar-project.properties`;
 
+  const sonarBinCheck = projectDir !== '.'
+    ? `./${projectDir}/node_modules/.bin/sonar-scanner`
+    : `./node_modules/.bin/sonar-scanner`;
+
+  const sonarHostGrep = projectDir !== '.'
+    ? `grep "^sonar.host.url=" "./${projectDir}/sonar-project.properties"`
+    : `grep "^sonar.host.url=" "./sonar-project.properties"`;
+
   return `#!/bin/sh
 
-# Move to project directory if in monorepo/subfolder setup
-${cdLine ? cdLine + '\n' : ''}
+# Hook runs from git root — all paths relative to git root
+# projectDir: ${projectDir}
+
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
@@ -75,9 +83,10 @@ else
 
   echo "$STAGED_FILES" | while IFS= read -r FILE; do
     case "$FILE" in
+      */sonar-project.properties) ;;
+      */.tools/*) ;;
       sonar-project.properties) ;;
       .tools/*) ;;
-      ${projectDir !== '.' ? `${projectDir}/.tools/*) ;;` : ''}
       *)
         if [ -f "$FILE" ]; then
           DEST="$GITLEAKS_TMPDIR/$FILE"
@@ -103,16 +112,16 @@ fi
 echo ""
 echo "[SonarQube] Scanning changed files..."
 
-SONAR_BIN="${sonarBin}"
-SONAR_PROPS="${sonarProps}"
+SONAR_BIN_CHECK="${sonarBinCheck}"
+SONAR_PROPS_CHECK="${sonarPropsCheck}"
 
-if [ ! -f "$SONAR_BIN" ]; then
+if [ ! -f "$SONAR_BIN_CHECK" ]; then
   echo "[SonarQube] sonar-scanner not found. Skipping."
 else
-  if [ ! -f "$SONAR_PROPS" ]; then
+  if [ ! -f "$SONAR_PROPS_CHECK" ]; then
     echo "[SonarQube] sonar-project.properties not found. Skipping."
   else
-    SONAR_HOST=$(grep "^sonar.host.url=" "$SONAR_PROPS" | cut -d'=' -f2 | tr -d '[:space:]')
+    SONAR_HOST=$(${sonarHostGrep} | cut -d'=' -f2 | tr -d '[:space:]')
     SONAR_DOMAIN=$(echo "$SONAR_HOST" | sed 's|https://||' | sed 's|http://||' | cut -d'/' -f1 | cut -d':' -f1)
     SONAR_PORT=$(echo "$SONAR_HOST" | grep -o ':[0-9]*$' | tr -d ':')
     SONAR_PORT=\${SONAR_PORT:-9000}
@@ -123,12 +132,12 @@ else
       SONAR_INCLUSIONS=$(echo "$STAGED_FILES" | tr '\\n' ',' | sed 's/,$//')
       echo "[SonarQube] Scanning: $SONAR_INCLUSIONS"
 
-      $SONAR_BIN -Dproject.settings="$SONAR_PROPS" -Dsonar.inclusions="$SONAR_INCLUSIONS" -Dsonar.qualitygate.wait=true
+      # Run sonar-scanner in subshell from project dir so it picks up sonar-project.properties
+      ${sonarSubshell} -Dsonar.inclusions="\$SONAR_INCLUSIONS"
       SONAR_EXIT=$?
 
-      if [ $SONAR_EXIT -ne 0 ]; then
+      if [ \$SONAR_EXIT -ne 0 ]; then
         echo "[SonarQube] Quality Gate FAILED. Commit blocked."
-        echo "[SonarQube] Fix issues at: $SONAR_HOST"
         exit 1
       fi
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-husky-setup",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "Automatic Husky + Gitleaks setup for any JS project",
   "main": "bin/index.js",
   "bin": {