Manual Git Hooks
Prerequisites
-
A SailPoint Entro Scanner API Key
- Create an SailPoint Entro Scanner API Key with granted access only to the Scanner API
-
Environment Setup
-
Install the SailPoint Entro CLI
-
Set the following environment variables
-
ENTRO_SECURITY_PLATFORM_TOKENto the generated token above -
ENTRO_SECURITY_PLATFORM_URLto the platform URL, e.g.https://app.entro.security
-
-
Setting up the Pre-Commit Hook
Create the pre-commit hook file
Note
Consider setting a global hooks directory with git config core.hooksPath
Append the Content Below to .Git/hooks/pre-Commit
#!/bin/sh
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
RED='\033[0;31m'
BLUE='\033[0;34m'
NC='\033[0m'
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
against=$(git hash-object -t tree /dev/null)
fi
exec 1>&2
file_names=$(git diff --cached --name-only)
if [ -z "$file_names" ]; then
echo "${YELLOW}⚠️ --- Entro Pre-commit Hook ---${NC}"
echo "${YELLOW}⚠️ No files staged for commit. Skipping entro scan.${NC}"
exit 0
fi
total_files=$(echo "$file_names" | grep -c .)
current_file_num=0
echo "${BLUE}➡️ --- Entro Pre-commit Hook ---${NC}"
echo "${BLUE}➡️ Scanning ${total_files} staged files for secrets.${NC}"
echo "${BLUE}➡️ Files to be scanned:${NC}"
echo "$file_names" | sed 's/^/ - /'
echo "${BLUE}-------------------------------${NC}"
echo "${BLUE}➡️ --- Starting Entro Scan ---${NC}"
while IFS= read -r line; do
current_file_num=$((current_file_num + 1))
if [ "$total_files" -gt 0 ]; then
percentage=$(( (current_file_num * 100) / total_files ))
else
percentage=100
fi
echo "${BLUE}🔎 [${percentage}%] Scanning: ${line}${NC}"
out=$(entro scan "$line")
if [[ "$out" != *"Exposed Secrets: 0"* ]]; then
echo "${RED}--------------------------------------------------${NC}"
echo "$out"
echo "${RED}❌ !!! Exposed Secret Found in: ${line} !!!${NC}"
echo "${RED}❌ Commit aborted due to exposed secrets.${NC}"
exit 1
fi
done <<< "$file_names"
echo "${GREEN}✅ --- Entro Scan Completed: No secrets found ---${NC}"
echo "${GREEN}✅ Commit can proceed.${NC}"
exit 0
Test the Pre-Commit Hook
Response Example
➡️ --- Entro Pre-commit Hook ---
➡️ Scanning 1 staged files for secrets.
➡️ Files to be scanned:
- .env
-------------------------------
➡️ --- Starting Entro Scan ---
🔎 [100%] Scanning: .env
--------------------------------------------------
🔍 Scanning... 100% [████████████████████████████████████████] (1/1){
"exposed_secrets": [
{
"scanned_file_path": ".env",
"scan_result": {
"request_id": "80865613-7092-4927-9260-36e0e707ef1e",
"total_count": 1,
"results": [
{
"origin": "SLACK_WEBHOOK",
"value": "https://hooks.slack.com/se************************C2/pa3QgX8M89ghXZv4Kx8N1ZkL",
"line": 13
}
]
}
}
],
"errors": null
}
✅ Scan Completed!
📂 Total Scanned Files: 1
🚨 Files Containing Exposed Secrets: 1
❌ !!! Exposed Secret Found in: .env !!!