Added husky script for snyk and secret check

cs-raj · cs-raj · commit a5c6468b9244 · 2025-04-30T12:56:22.000+05:30
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1,69 @@
+#!/usr/bin/env sh
+# Pre-commit hook to run Snyk and Talisman scans, completing both before deciding to commit
+
+# Function to check if a command exists
+command_exists() {
+  command -v "$1" >/dev/null 2>&1
+}
+
+# Check if Snyk is installed
+if ! command_exists snyk; then
+  echo "Error: Snyk is not installed. Please install it and try again."
+  exit 1
+fi
+
+# Check if Talisman is installed
+if ! command_exists talisman; then
+  echo "Error: Talisman is not installed. Please install it and try again."
+  exit 1
+fi
+
+# Allow bypassing the hook with an environment variable
+if [ "$SKIP_HOOK" = "1" ]; then
+  echo "Skipping Snyk and Talisman scans (SKIP_HOOK=1)."
+  exit 0
+fi
+
+# Initialize variables to track scan results
+snyk_failed=false
+talisman_failed=false
+
+# Run Snyk vulnerability scan
+echo "Running Snyk vulnerability scan..."
+snyk test --all-projects > snyk_output.log 2>&1
+snyk_exit_code=$?
+
+if [ $snyk_exit_code -eq 0 ]; then
+  echo "Snyk scan passed: No vulnerabilities found."
+elif [ $snyk_exit_code -eq 1 ]; then
+  echo "Snyk found vulnerabilities. See snyk_output.log for details."
+  snyk_failed=true
+else
+  echo "Snyk scan failed with error (exit code $snyk_exit_code). See snyk_output.log for details."
+  snyk_failed=true
+fi
+
+# Run Talisman secret scan (continues even if Snyk failed)
+echo "Running Talisman secret scan..."
+talisman --githook pre-commit > talisman_output.log 2>&1
+talisman_exit_code=$?
+
+if [ $talisman_exit_code -eq 0 ]; then
+  echo "Talisman scan passed: No secrets found."
+else
+  echo "Talisman scan failed (exit code $talisman_exit_code). See talisman_output.log for details."
+  talisman_failed=true
+fi
+
+# Evaluate results after both scans
+if [ "$snyk_failed" = true ] || [ "$talisman_failed" = true ]; then
+  echo "Commit aborted due to issues found in one or both scans."
+  [ "$snyk_failed" = true ] && echo "- Snyk issues: Check snyk_output.log"
+  [ "$talisman_failed" = true ] && echo "- Talisman issues: Check talisman_output.log"
+  exit 1
+fi
+
+# If both scans pass, allow the commit
+echo "All scans passed. Proceeding with commit.cd ."
+rm -f snyk_output.log talisman_output.log
+exit 0
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -2,6 +2,7 @@
   "name": "csdx",
   "version": "1.0.0",
   "devDependencies": {
+    "husky": "^9.1.7",
     "pnpm": "^7.33.7"
   },
   "engines": {
@@ -17,7 +18,8 @@
     "setup-repo-old": "npm i && pnpm package-lock-only && pnpm clean && pnpm install --no-frozen-lockfile && pnpm prepack",
     "clean-repo": "rm -rf ./package-lock.json ./node_modules ./packages/**/node_modules ./packages/**/.nyc_output ./packages/**/package-lock.json",
     "preinstall-clean": "npm run clean-repo && npm cache clean --force && npx pnpm store prune",
-    "setup-repo": "npm run preinstall-clean && npm i && npm run package-lock-only && npm run clean && pnpm install --no-frozen-lockfile && npm run prepack"
+    "setup-repo": "npm run preinstall-clean && npm i && npm run package-lock-only && npm run clean && pnpm install --no-frozen-lockfile && npm run prepack",
+    "prepare": "husky && chmod +x .husky/pre-commit"
   },
   "license": "MIT",
   "workspaces": [
