CLI-248 git hooks

[kirill-knize-sonarsource]

No description provided.

[sonar-review-alpha]

Summary

What changed: Refactored git hook logic from shell scripts to TypeScript callback handlers. Previously, pre-commit and pre-push hooks contained inline shell logic for scanning staged/pushed files for secrets. This PR moves that logic into two new TypeScript commands: sonar hook git-pre-commit and sonar hook git-pre-push.

Why: Maintains feature parity while improving maintainability, testability, and consistency with the callback infrastructure pattern established in CLI-244-245. The implementation is now easier to evolve and test compared to embedded shell scripts.

What's new:

• git-pre-commit.ts: Scans staged files via git diff --cached, skipping gracefully if not authenticated or if the secrets binary isn't installed
• git-pre-push.ts: Scans files in new commits, with logic to handle branch deletions and new branches (comparing against empty tree when needed)
• stdin.ts: Utilities for reading git push refs from stdin and parsing JSON payloads, with 5-second timeout to prevent hanging
• Shell scripts simplified: Now just resolve the binary path and invoke the CLI callback instead of doing the work inline
• Enhanced spawnProcess to support writing data to stdin (used by pre-push to generate empty tree with git mktree)
• Registered two new hook commands in command-tree.ts

What reviewers should know

Start here:

1. Read the shell script changes in git-shell-fragments.ts to see how hooks went from ~50 lines of script logic to 1 line calling the CLI
2. Review git-pre-commit.ts — straightforward implementation that mirrors the old shell logic
3. Review git-pre-push.ts — more complex, handles three scenarios: branch deletion (skip), existing branch (diff two SHAs), and new branch (special handling with empty tree or rev-list)

Key implementation details:

• Both handlers silently return on auth failure or missing binary (fail-open: push/commit proceeds)
• git-pre-push must handle empty tree creation for new branches pushed when no other remotes exist (getEmptyTree() helper)
• stdin.ts provides two paths: raw stdin reading with timeout (for git hook refs), and JSON parsing (for future hooks)
• The timeout prevents hooks from hanging indefinitely waiting for stdin

For reviewers:

• File changes are isolated: hook handlers → command registration → shell script simplification → utils
• Tests are comprehensive: unit tests for the logic, integration tests for end-to-end scenarios
• Behavior is unchanged — this is a like-for-like refactor of existing functionality, not new features

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

CLI-280

[sonar-review-alpha]

Conclusion: Solid PR — the migration from inline shell logic to TypeScript callback handlers is clean and well-tested. One logic duplication worth tidying up before merge.

🗣️ Give feedback

[sonar-review-alpha]

Logic duplication: This try-catch block — scanFiles → check EXIT_CODE_SECRETS_FOUND → re-throw as CommandFailedError, with a catch that re-throws CommandFailedError and wraps everything else — is duplicated verbatim in git-pre-push.ts lines 52–61. The only differences are the error message strings ('staged files' vs 'pushed commits') and the debug log prefix.

If the exit-code check or error-wrapping logic ever needs to change (e.g. new exit codes, changed error format, added telemetry), both files must be updated in sync.

Extract a shared helper into secrets-scan.ts (or a new run-secrets.ts), e.g.:

export async function runSecretsOrFail(
  binaryPath: string,
  files: string[],
  auth: ResolvedAuth,
  context: string,
): Promise<void> {
  try {
    const exitCode = await scanFiles(binaryPath, files, auth);
    if (exitCode === EXIT_CODE_SECRETS_FOUND) {
      throw new CommandFailedError(`Secrets detected in ${context}`);
    }
  } catch (err) {
    if (err instanceof CommandFailedError) throw err;
    logger.debug(`${context} secrets scan failed: ${(err as Error).message}`);
    throw new CommandFailedError('Secrets scan failed');
  }
}

Then call await runSecretsOrFail(binaryPath, stagedFiles, auth, 'staged files') and await runSecretsOrFail(binaryPath, files, auth, 'pushed commits') respectively.

• Mark as noise

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
96.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

The logic duplication flagged in the prior review round — the try/catch block that wraps runSecretsBinary, checks EXIT_CODE_SECRETS_FOUND, and re-throws as CommandFailedError — remains identical in both git-pre-commit.ts (lines 48–58) and git-pre-push.ts (lines 52–62). That issue is still open.

🗣️ Give feedback