Skip to content

Manual Git Hooks

Prerequisites

  • A SailPoint Entro Scanner API Key

  • Environment Setup

    • Install the SailPoint Entro CLI

    • Set the following environment variables

      • ENTRO_SECURITY_PLATFORM_TOKEN to the generated token above

      • ENTRO_SECURITY_PLATFORM_URL to the platform URL, e.g. https://app.entro.security

Setting up the Pre-Commit Hook

Create the pre-commit hook file

touch .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Note

Consider setting a global hooks directory with git config core.hooksPath

Append the Content Below to .Git/hooks/pre-Commit

#!/bin/sh

GREEN='\033[0;32m'
YELLOW='\033[0;33m'
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m'

if git rev-parse --verify HEAD >/dev/null 2>&1
then
    against=HEAD
else

    against=$(git hash-object -t tree /dev/null)
fi

exec 1>&2

file_names=$(git diff --cached --name-only)
if [ -z "$file_names" ]; then
  echo "${YELLOW}⚠️ --- Entro Pre-commit Hook ---${NC}"
  echo "${YELLOW}⚠️ No files staged for commit. Skipping entro scan.${NC}"
  exit 0
fi

total_files=$(echo "$file_names" | grep -c .)
current_file_num=0

echo "${BLUE}➡️ --- Entro Pre-commit Hook ---${NC}"
echo "${BLUE}➡️ Scanning ${total_files} staged files for secrets.${NC}"
echo "${BLUE}➡️ Files to be scanned:${NC}"

echo "$file_names" | sed 's/^/  - /'
echo "${BLUE}-------------------------------${NC}"
echo "${BLUE}➡️ --- Starting Entro Scan ---${NC}"

while IFS= read -r line; do
    current_file_num=$((current_file_num + 1))
    if [ "$total_files" -gt 0 ]; then
        percentage=$(( (current_file_num * 100) / total_files ))
    else
        percentage=100
    fi
    echo "${BLUE}🔎 [${percentage}%] Scanning: ${line}${NC}"
    out=$(entro scan "$line")
    if [[ "$out" != *"Exposed Secrets: 0"* ]]; then
        echo "${RED}--------------------------------------------------${NC}"
        echo "$out"
        echo "${RED}❌ !!! Exposed Secret Found in: ${line} !!!${NC}"
        echo "${RED}❌ Commit aborted due to exposed secrets.${NC}"
        exit 1
    fi
done <<< "$file_names"

echo "${GREEN}✅ --- Entro Scan Completed: No secrets found ---${NC}"
echo "${GREEN}✅ Commit can proceed.${NC}"
exit 0

Test the Pre-Commit Hook

git commit -m "Test commit"

Response Example

➡️ --- Entro Pre-commit Hook ---
➡️ Scanning 1 staged files for secrets.
➡️ Files to be scanned:
  - .env
-------------------------------
➡️ --- Starting Entro Scan ---
🔎 [100%] Scanning: .env
--------------------------------------------------
🔍 Scanning... 100% [████████████████████████████████████████] (1/1){
  "exposed_secrets": [
    {
      "scanned_file_path": ".env",
      "scan_result": {
        "request_id": "80865613-7092-4927-9260-36e0e707ef1e",
        "total_count": 1,
        "results": [
          {
            "origin": "SLACK_WEBHOOK",
            "value": "https://hooks.slack.com/se************************C2/pa3QgX8M89ghXZv4Kx8N1ZkL",
            "line": 13
          }
        ]
      }
    }
  ],
  "errors": null
}

✅ Scan Completed!
📂 Total Scanned Files: 1
🚨 Files Containing Exposed Secrets: 1
❌ !!! Exposed Secret Found in: .env !!!