Help prevent accidental disclosure of secret keys

pre-commit

#!/bin/sh
# To enable this hook, copy it into .git/hooks/pre-commit in your project's workspace
# or use the reinstall-git-hook-everywhere.sh script

if git rev-parse --verify HEAD >/dev/null 2>&1
then
	against=HEAD
else
	# Initial commit: diff against an empty tree object
	against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi

if git diff --cached $against | grep '^+.*AKIA'
then
	cat <<\EOF
Error: Detected AWS secret key in this commit.

If you are absolutely sure you haven't just committed an AWS secret
key, commit again with the --no-verify option.
EOF
	exit 1
fi

if git diff --cached $against | grep -E -2 '^\+MII[0-9A-Za-z+/]{20}'
then
	cat <<\EOF
Error: Detected PEM formatted key material in this commit.

If you are absolutely sure you haven't just committed a secret
key, commit again with the --no-verify option.
EOF
	exit 1
fi

if git diff --cached $against | grep -E -2 '^\+[ \t]*puts[( ]'
then
  cat <<\EOF
Error: Found a new puts in this changeset!

If you actually mean to commit a raw puts (rather than a logger statement)
then commit again with the --no-verify option.
EOF
  exit 1
fi

reinstall-git-hook-everywhere.sh

#!/bin/sh

new_hook=$1
expected_old_hook=$2

if [ -z "$new_hook" -o -z "$expected_old_hook" ]; then
  echo "Usage:"
  echo "  $0 new-precommit-hook-file old-precommit-hook-file"
fi

function safe_install_hook {
    hook_dir=$(dirname $1)
    if [ -f "$hook_dir/pre-commit" ]; then
      if ! diff -u "$hook_dir/pre-commit" $expected_old_hook; then
        echo "Skipping $hook_dir/pre-commit because it does not match expected"
        return
      fi
    fi
    cp $new_hook "$hook_dir/pre-commit"
}

for sample in `find ~ -name pre-commit.sample`; do
  safe_install_hook $sample
done