mosaic/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f537f1ca7f24bdc4f5265d2a9a24ab5897c96c4f
bootstrap/tools/quality/scripts/verify.sh
Jason Woltje f537f1ca7f feat: add gitleaks secret scanning to quality rails 
Replace non-blocking git-secrets with mandatory gitleaks scanning:
- Pre-commit: blocks commit if gitleaks not installed or secrets found
- CI: pinned gitleaks Docker image scans each commit in Woodpecker
- Shared .gitleaks.toml with 12 custom rules for database URLs,
  alembic.ini, bearer tokens, PEM keys, docker-compose secrets, etc.
- Stopwords suppress localhost/changeme/placeholder false positives
- Install/verify scripts updated for gitleaks (no longer optional)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 14:45:24 -06:00

105 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Quality Rails Verification Script
# Tests that enforcement actually works
echo "═══════════════════════════════════════════"
echo "Quality Rails Enforcement Verification"
echo "═══════════════════════════════════════════"
echo ""
PASSED=0
FAILED=0
# Test 1: Type error blocked
echo "Test 1: Type errors should be blocked..."
echo "const x: string = 123;" > test-file.ts
git add test-file.ts 2>/dev/null
if git commit -m "Test commit" 2>&1 | grep -q "error"; then
echo "✅ PASS: Type errors blocked"
((PASSED++))
else
echo "❌ FAIL: Type errors NOT blocked"
((FAILED++))
fi
git reset HEAD test-file.ts 2>/dev/null
rm test-file.ts 2>/dev/null
# Test 2: any type blocked
echo ""
echo "Test 2: 'any' types should be blocked..."
echo "const x: any = 123;" > test-file.ts
git add test-file.ts 2>/dev/null
if git commit -m "Test commit" 2>&1 | grep -q "no-explicit-any"; then
echo "✅ PASS: 'any' types blocked"
((PASSED++))
else
echo "❌ FAIL: 'any' types NOT blocked"
((FAILED++))
fi
git reset HEAD test-file.ts 2>/dev/null
rm test-file.ts 2>/dev/null
# Test 3a: gitleaks binary must be present
echo ""
echo "Test 3a: gitleaks must be installed..."
if command -v gitleaks &> /dev/null; then
echo "✅ PASS: gitleaks found ($(gitleaks version 2>/dev/null || echo 'unknown version'))"
PASSED=$((PASSED + 1))
else
echo "❌ FAIL: gitleaks is NOT installed — secret scanning will not work"
echo " Install: https://github.com/gitleaks/gitleaks#installing"
FAILED=$((FAILED + 1))
fi
# Test 3b: gitleaks detects a planted AWS key
echo ""
echo "Test 3b: gitleaks should detect planted AWS key..."
if command -v gitleaks &> /dev/null; then
echo 'aws_access_key_id = AKIAIOSFODNN7REALKEY' > gitleaks-test-secret.txt
git add gitleaks-test-secret.txt 2>/dev/null
if gitleaks git --pre-commit --staged --redact 2>&1 | grep -q -i "leak\|finding"; then
echo "✅ PASS: gitleaks detected planted secret"
PASSED=$((PASSED + 1))
else
echo "❌ FAIL: gitleaks did NOT detect planted secret"
FAILED=$((FAILED + 1))
fi
git reset HEAD gitleaks-test-secret.txt 2>/dev/null
rm gitleaks-test-secret.txt 2>/dev/null
else
echo "⚠ SKIP: gitleaks not installed (Test 3a already failed)"
fi
# Test 4: Lint error blocked
echo ""
echo "Test 4: Lint errors should be blocked..."
echo "const x=123" > test-file.ts # Missing semicolon
git add test-file.ts 2>/dev/null
if git commit -m "Test commit" 2>&1 | grep -q "prettier"; then
echo "✅ PASS: Lint errors blocked"
((PASSED++))
else
echo "❌ FAIL: Lint errors NOT blocked"
((FAILED++))
fi
git reset HEAD test-file.ts 2>/dev/null
rm test-file.ts 2>/dev/null
# Summary
echo ""
echo "═══════════════════════════════════════════"
echo "Verification Summary"
echo "═══════════════════════════════════════════"
echo "✅ Passed: $PASSED"
echo "❌ Failed: $FAILED"
echo ""
if [ $FAILED -eq 0 ]; then
echo "🎉 All tests passed! Quality enforcement is working."
exit 0
else
echo "⚠ Some tests failed. Review configuration."
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink