CLI-248 Git hook callbacks for pre-commit and pre-push

Author: kirill-knize-sonarsource

src/cli/command-tree.ts

@@ -40,6 +40,8 @@ import { MAX_PAGE_SIZE } from '../sonarqube/projects';
 import { apiCommand, apiExtraHelpText, type ApiCommandOptions } from './commands/api/api';
 import { GENERIC_HTTP_METHODS } from '../sonarqube/client';
 import { claudePreToolUse } from './commands/hook/claude-pre-tool-use';
+import { gitPreCommit } from './commands/hook/git-pre-commit';
+import { gitPrePush } from './commands/hook/git-pre-push';
 
 const DEFAULT_PAGE_SIZE = MAX_PAGE_SIZE;
 
@@ -231,42 +233,49 @@ COMMAND_TREE.command('self-update')
 
 // Hidden callback command — internal handlers for agent and git hooks.
 // Shell hook scripts call `sonar hook <event>` to delegate all business logic to TypeScript.
-export const callbackCommand = COMMAND_TREE.command('hook', { hidden: true })
+export const hookCommand = COMMAND_TREE.command('hook', { hidden: true })
   .description('Internal callback handlers for agent and git hooks')
   .enablePositionalOptions()
   .anonymousAction(function (this: Command) {
     this.outputHelp();
   });
 
-callbackCommand
+hookCommand
   .command('claude-pre-tool-use')
   .description('PreToolUse handler: scan files for secrets before agent reads them')
   .anonymousAction(() => claudePreToolUse());
 
 // codex-pre-tool-use reuses the same handler (same hook event, different agent name)
-callbackCommand
+hookCommand
   .command('codex-pre-tool-use')
   .description('PreToolUse handler for Codex: scan files for secrets before agent reads them')
   .anonymousAction(() => claudePreToolUse());
 
-// agent-prompt-submit and agent-post-tool-use are installed by `sonar integrate claude`.
-// They are implemented in subsequent PRs; stubs here ensure scripts don't fail with
-// "unknown command" on a CLI that only has CLI-244/245.
-callbackCommand
+hookCommand
   .command('agent-prompt-submit')
   .description('UserPromptSubmit handler: scan prompts for secrets before sending')
   .anonymousAction(() => {
     return;
   });
 
-callbackCommand
+hookCommand
   .command('agent-post-tool-use')
   .option('-p, --project <project>', 'SonarCloud project key')
   .description('PostToolUse handler: run SQAA analysis on modified files')
   .anonymousAction(() => {
     return;
   });
 
+hookCommand
+  .command('git-pre-commit')
+  .description('git pre-commit handler: scan staged files for secrets')
+  .anonymousAction(() => gitPreCommit());
+
+hookCommand
+  .command('git-pre-push')
+  .description('git pre-push handler: scan files in new commits for secrets')
+  .anonymousAction(() => gitPrePush());
+
 // Hidden flush command — only registered when running as a telemetry worker.
 if (process.env[TELEMETRY_FLUSH_MODE_ENV]) {
   COMMAND_TREE.command('flush-telemetry', { hidden: true }).anonymousAction(flushTelemetry);

src/cli/commands/hook/git-pre-commit.ts

@@ -0,0 +1,65 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) 2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// git pre-commit callback handler — scans staged files for secrets before commit.
+// Replaces the shell logic that was previously embedded in the git hook script.
+
+import { resolveAuth } from '../../../lib/auth-resolver';
+import logger from '../../../lib/logger';
+import { spawnProcess } from '../../../lib/process';
+import { resolveSecretsBinaryPath, scanFiles, EXIT_CODE_SECRETS_FOUND } from './secrets-scan';
+import { CommandFailedError } from '../_common/error';
+
+export async function gitPreCommit(): Promise<void> {
+  const stagedFiles = await getStagedFiles();
+  if (stagedFiles.length === 0) return;
+
+  const auth = await resolveAuth().catch(() => null);
+  if (!auth) return; // not authenticated — skip gracefully
+
+  const binaryPath = resolveSecretsBinaryPath();
+  if (!binaryPath) return; // binary not installed — skip gracefully
+
+  try {
+    const exitCode = await scanFiles(binaryPath, stagedFiles, auth);
+    if (exitCode === EXIT_CODE_SECRETS_FOUND) {
+      throw new CommandFailedError('Secrets detected in staged files');
+    }
+  } catch (err) {
+    if (err instanceof CommandFailedError) throw err;
+    logger.debug(`git pre-commit secrets scan failed: ${(err as Error).message}`);
+    throw new CommandFailedError('Secrets scan failed');
+  }
+}
+
+async function getStagedFiles(): Promise<string[]> {
+  try {
+    const result = await spawnProcess('git', [
+      'diff',
+      '--cached',
+      '--name-only',
+      '--diff-filter=ACMR',
+    ]);
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}

src/cli/commands/hook/git-pre-push.ts

@@ -0,0 +1,130 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) 2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// git pre-push callback handler — scans files in new commits for secrets before push.
+// Replaces the shell logic that was previously embedded in the git hook script.
+
+import { resolveAuth } from '../../../lib/auth-resolver';
+import logger from '../../../lib/logger';
+import { spawnProcess } from '../../../lib/process';
+import { resolveSecretsBinaryPath, scanFiles, EXIT_CODE_SECRETS_FOUND } from './secrets-scan';
+import { readGitPushRefs } from './stdin';
+import type { PushRef } from './stdin';
+import { CommandFailedError } from '../_common/error';
+
+const GIT_NULL_OID = '0000000000000000000000000000000000000000';
+
+export async function gitPrePush(): Promise<void> {
+  const refs = await readGitPushRefs();
+  if (refs.length === 0) return;
+
+  const auth = await resolveAuth().catch(() => null);
+  if (!auth) return; // not authenticated — skip gracefully
+
+  const binaryPath = resolveSecretsBinaryPath();
+  if (!binaryPath) return; // binary not installed — skip gracefully
+
+  const emptyTree = await getEmptyTree();
+
+  for (const ref of refs) {
+    if (ref.localSha === GIT_NULL_OID) continue; // branch deletion — nothing to scan
+
+    const files = await getFilesForRef(ref, emptyTree);
+    if (files.length === 0) continue;
+
+    try {
+      const exitCode = await scanFiles(binaryPath, files, auth);
+      if (exitCode === EXIT_CODE_SECRETS_FOUND) {
+        throw new CommandFailedError('Secrets detected in pushed commits');
+      }
+    } catch (err) {
+      if (err instanceof CommandFailedError) throw err;
+      logger.debug(`git pre-push secrets scan failed: ${(err as Error).message}`);
+      throw new CommandFailedError('Secrets scan failed');
+    }
+  }
+}
+
+async function getEmptyTree(): Promise<string> {
+  try {
+    const result = await spawnProcess('git', ['mktree'], { stdin: 'pipe', stdinData: '' });
+    return result.stdout.trim() || GIT_NULL_OID;
+  } catch {
+    return GIT_NULL_OID;
+  }
+}
+
+async function getFilesForRef(ref: PushRef, emptyTree: string): Promise<string[]> {
+  try {
+    if (ref.remoteSha === GIT_NULL_OID) {
+      return await getFilesForNewBranch(ref.localSha, emptyTree);
+    }
+    const result = await spawnProcess('git', [
+      'diff',
+      '--name-only',
+      '--diff-filter=ACMR',
+      ref.remoteSha,
+      ref.localSha,
+    ]);
+    return result.stdout.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+async function getFilesForNewBranch(localSha: string, emptyTree: string): Promise<string[]> {
+  try {
+    const commitsResult = await spawnProcess('git', ['rev-list', localSha, '--not', '--remotes']);
+    const commits = commitsResult.stdout.trim().split('\n').filter(Boolean);
+
+    if (commits.length > 0) {
+      const fileSet = new Set<string>();
+      for (const commit of commits) {
+        const result = await spawnProcess('git', [
+          'diff-tree',
+          '--root',
+          '--no-commit-id',
+          '-r',
+          '--name-only',
+          '--diff-filter=ACMR',
+          commit,
+        ]);
+        result.stdout
+          .trim()
+          .split('\n')
+          .filter(Boolean)
+          .forEach((f) => fileSet.add(f));
+      }
+      return Array.from(fileSet);
+    }
+
+    // No other remotes — diff full branch against empty tree
+    const result = await spawnProcess('git', [
+      'diff',
+      '--name-only',
+      '--diff-filter=ACMR',
+      emptyTree,
+      localSha,
+    ]);
+    return result.stdout.trim().split('\n').filter(Boolean);
+  } catch {
+    return [];
+  }
+}

src/cli/commands/hook/stdin.ts

@@ -23,6 +23,51 @@
 
 const STDIN_TIMEOUT_MS = 5000;
 
+export interface PushRef {
+  localRef: string;
+  localSha: string;
+  remoteRef: string;
+  remoteSha: string;
+}
+
+/**
+ * Read git pre-push refs from stdin.
+ * Git passes refs as raw space-separated lines: <localRef> <localSha> <remoteRef> <remoteSha>
+ * Returns an empty array on timeout or error.
+ */
+export async function readGitPushRefs(): Promise<PushRef[]> {
+  let timeoutId: ReturnType<typeof setTimeout> | undefined;
+  try {
+    return await Promise.race([
+      new Promise<PushRef[]>((resolve) => {
+        const chunks: Buffer[] = [];
+        process.stdin.on('data', (chunk: Buffer) => chunks.push(chunk));
+        process.stdin.on('end', () => {
+          const raw = Buffer.concat(chunks).toString('utf-8');
+          const refs = raw
+            .trim()
+            .split('\n')
+            .filter(Boolean)
+            .map((line) => {
+              const [localRef, localSha, remoteRef, remoteSha] = line.split(' ');
+              return { localRef, localSha, remoteRef, remoteSha };
+            })
+            .filter((r) => r.localSha && r.remoteSha);
+          resolve(refs);
+        });
+        process.stdin.on('error', () => {
+          resolve([]);
+        });
+      }),
+      new Promise<PushRef[]>((resolve) => {
+        timeoutId = setTimeout(() => { resolve([]); }, STDIN_TIMEOUT_MS);
+      }),
+    ]);
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
 /**
  * Read stdin, parse as JSON, and return the result typed as T.
  * Throws if stdin is not valid JSON or if the read times out.