secure-husky-setup 1.0.14 → 1.0.15

package/lib/hooks.js

@@ -11,9 +11,7 @@ exports.setupPreCommitHook = async (gitRoot) => {
     return;
   }
 
-  // relative path from gitRoot to project e.g. "server" or "."
   const projectDir = path.relative(gitRoot, process.cwd()) || '.';
-
   const hookContent = buildHookScript(projectDir);
 
   if (await fs.pathExists(hookPath)) {
@@ -33,23 +31,32 @@ exports.setupPreCommitHook = async (gitRoot) => {
 };
 
 function buildHookScript(projectDir) {
-  // All paths are relative to git root — NO cd into subfolder
-  // git commands always run from git root where husky executes the hook
+  // All paths relative to git root — NO cd at top level
+  // sonar-scanner runs in a subshell cd'd into project dir so it finds sonar-project.properties
   const gitleaksBin = projectDir !== '.'
     ? `./${projectDir}/.tools/gitleaks/gitleaks`
     : `./.tools/gitleaks/gitleaks`;
 
-  const sonarBin = projectDir !== '.'
-    ? `./${projectDir}/node_modules/.bin/sonar-scanner`
-    : `./node_modules/.bin/sonar-scanner`;
+  // subshell cd for sonar so properties file is found correctly
+  const sonarSubshell = projectDir !== '.'
+    ? `(cd "./${projectDir}" && ./node_modules/.bin/sonar-scanner -Dsonar.qualitygate.wait=true)`
+    : `(./node_modules/.bin/sonar-scanner -Dsonar.qualitygate.wait=true)`;
 
-  const sonarProps = projectDir !== '.'
+  const sonarPropsCheck = projectDir !== '.'
     ? `./${projectDir}/sonar-project.properties`
     : `./sonar-project.properties`;
 
+  const sonarBinCheck = projectDir !== '.'
+    ? `./${projectDir}/node_modules/.bin/sonar-scanner`
+    : `./node_modules/.bin/sonar-scanner`;
+
+  const sonarHostGrep = projectDir !== '.'
+    ? `grep "^sonar.host.url=" "./${projectDir}/sonar-project.properties"`
+    : `grep "^sonar.host.url=" "./sonar-project.properties"`;
+
   return `#!/bin/sh
 
-# Hook runs from git root — all paths are relative to git root
+# Hook runs from git root — all paths relative to git root
 # projectDir: ${projectDir}
 
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
@@ -105,16 +112,16 @@ fi
 echo ""
 echo "[SonarQube] Scanning changed files..."
 
-SONAR_BIN="${sonarBin}"
-SONAR_PROPS="${sonarProps}"
+SONAR_BIN_CHECK="${sonarBinCheck}"
+SONAR_PROPS_CHECK="${sonarPropsCheck}"
 
-if [ ! -f "$SONAR_BIN" ]; then
+if [ ! -f "$SONAR_BIN_CHECK" ]; then
   echo "[SonarQube] sonar-scanner not found. Skipping."
 else
-  if [ ! -f "$SONAR_PROPS" ]; then
+  if [ ! -f "$SONAR_PROPS_CHECK" ]; then
     echo "[SonarQube] sonar-project.properties not found. Skipping."
   else
-    SONAR_HOST=$(grep "^sonar.host.url=" "$SONAR_PROPS" | cut -d'=' -f2 | tr -d '[:space:]')
+    SONAR_HOST=$(${sonarHostGrep} | cut -d'=' -f2 | tr -d '[:space:]')
     SONAR_DOMAIN=$(echo "$SONAR_HOST" | sed 's|https://||' | sed 's|http://||' | cut -d'/' -f1 | cut -d':' -f1)
     SONAR_PORT=$(echo "$SONAR_HOST" | grep -o ':[0-9]*$' | tr -d ':')
     SONAR_PORT=\${SONAR_PORT:-9000}
@@ -125,10 +132,11 @@ else
       SONAR_INCLUSIONS=$(echo "$STAGED_FILES" | tr '\\n' ',' | sed 's/,$//')
       echo "[SonarQube] Scanning: $SONAR_INCLUSIONS"
 
-      $SONAR_BIN -Dproject.settings="$SONAR_PROPS" -Dsonar.inclusions="$SONAR_INCLUSIONS" -Dsonar.qualitygate.wait=true
+      # Run sonar-scanner in subshell from project dir so it picks up sonar-project.properties
+      ${sonarSubshell} -Dsonar.inclusions="\$SONAR_INCLUSIONS"
       SONAR_EXIT=$?
 
-      if [ $SONAR_EXIT -ne 0 ]; then
+      if [ \$SONAR_EXIT -ne 0 ]; then
         echo "[SonarQube] Quality Gate FAILED. Commit blocked."
         exit 1
       fi

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-husky-setup",
-  "version": "1.0.14",
+  "version": "1.0.15",
   "description": "Automatic Husky + Gitleaks setup for any JS project",
   "main": "bin/index.js",
   "bin": {