SocketDev
diff --git a/‎.env.example‎
Lines changed: 10 additions & 0 deletions b/‎.env.example‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.git-hooks/commit-msg‎
Lines changed: 48 additions & 0 deletions b/‎.git-hooks/commit-msg‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎.git-hooks/install-hooks.sh‎
Lines changed: 103 additions & 0 deletions b/‎.git-hooks/install-hooks.sh‎
Lines changed: 103 additions & 0 deletions
diff --git a/‎.git-hooks/pre-commit‎
Lines changed: 147 additions & 0 deletions b/‎.git-hooks/pre-commit‎
Lines changed: 147 additions & 0 deletions
@@ -0,0 +1,10 @@
+# Socket API key for e2e testing.
+# Get your API key from https://socket.dev/dashboard/settings
+SOCKET_SECURITY_API_KEY=your_api_key_here
+
+# Organization for local testing.
+SOCKET_CLI_ORG_SLUG=your_org_slug_here
+
+# Point to local depscan server for development.
+# Leave commented out to use production API.
+# SOCKET_CLI_API_BASE_URL=http://localhost:8866/v0
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Socket Security Commit-msg Hook
+# Additional security layer - validates commit even if pre-commit was bypassed.
+
+set -e
+
+# Colors for output.
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+# Allowed public API key (used in socket-lib).
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+# Get files in this commit.
+COMMITTED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$COMMITTED_FILES" ]; then
+  exit 0
+fi
+
+ERRORS=0
+
+# Quick checks for critical issues.
+for file in $COMMITTED_FILES; do
+  if [ -f "$file" ]; then
+    # Check for Socket API keys (except allowed).
+    if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
+      echo "${RED}✗ SECURITY: Potential API key detected in commit!${NC}"
+      echo "File: $file"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for .env files.
+    if echo "$file" | grep -qE '^\.env(\.local)?$'; then
+      echo "${RED}✗ SECURITY: .env file in commit!${NC}"
+      ERRORS=$((ERRORS + 1))
+    fi
+  fi
+done
+
+if [ $ERRORS -gt 0 ]; then
+  echo "${RED}✗ Commit blocked by security validation${NC}"
+  echo "Run: git reset HEAD~1"
+  exit 1
+fi
+
+exit 0
@@ -0,0 +1,103 @@
+#!/bin/bash
+# Install Socket Security Git Hooks
+# This script installs security hooks in all Socket repos and makes them non-bypassable.
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+HOOK_NAMES=("pre-commit" "commit-msg" "pre-push")
+
+# Colors for output.
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+echo "${GREEN}Socket Security Hook Installer${NC}"
+echo "================================"
+echo ""
+
+# Function to install hooks in a single repo.
+install_hooks_in_repo() {
+  local repo_path="$1"
+  local repo_name=$(basename "$repo_path")
+
+  if [ ! -d "$repo_path/.git" ]; then
+    echo "${YELLOW}⚠ Skipping $repo_name (not a git repo)${NC}"
+    return
+  fi
+
+  echo "${GREEN}Installing hooks in: $repo_name${NC}"
+
+  local git_hooks_dir="$repo_path/.git/hooks"
+
+  # Create hooks directory if it doesn't exist.
+  mkdir -p "$git_hooks_dir"
+
+  # Install each hook.
+  for hook in "${HOOK_NAMES[@]}"; do
+    local source_hook="$SCRIPT_DIR/$hook"
+    local target_hook="$git_hooks_dir/$hook"
+
+    if [ ! -f "$source_hook" ]; then
+      echo "${RED}✗ Source hook not found: $source_hook${NC}"
+      continue
+    fi
+
+    # Backup existing hook if it exists.
+    if [ -f "$target_hook" ]; then
+      local backup="$target_hook.backup.$(date +%Y%m%d_%H%M%S)"
+      echo "  Backing up existing $hook to: $(basename "$backup")"
+      mv "$target_hook" "$backup"
+    fi
+
+    # Copy hook.
+    cp "$source_hook" "$target_hook"
+    chmod +x "$target_hook"
+    echo "  ✓ Installed $hook"
+  done
+
+  # Configure git to enforce hooks.
+  (cd "$repo_path" && git config core.hooksPath .git/hooks 2>/dev/null || true)
+
+  echo "${GREEN}  ✓ Hooks installed in $repo_name${NC}"
+  echo ""
+}
+
+# If a specific repo path is provided, install only there.
+if [ $# -eq 1 ]; then
+  install_hooks_in_repo "$1"
+  exit 0
+fi
+
+# Otherwise, find all socket-* repos and acorn.
+REPOS=(
+  "/Users/jdalton/projects/socket-cli"
+  "/Users/jdalton/projects/socket-lib"
+  "/Users/jdalton/projects/socket-registry"
+  "/Users/jdalton/projects/socket-sdk-js"
+  "/Users/jdalton/projects/socket-packageurl-js"
+  "/Users/jdalton/projects/acorn"
+)
+
+echo "Installing hooks in all Socket repos..."
+echo ""
+
+for repo in "${REPOS[@]}"; do
+  if [ -d "$repo" ]; then
+    install_hooks_in_repo "$repo"
+  else
+    echo "${YELLOW}⚠ Repo not found: $repo${NC}"
+  fi
+done
+
+echo "${GREEN}================================${NC}"
+echo "${GREEN}✓ All hooks installed successfully!${NC}"
+echo ""
+echo "These hooks will now:"
+echo "  - Prevent committing secrets and API keys"
+echo "  - Block personal paths like /Users/jdalton/"
+echo "  - Stop .DS_Store and log files from being committed"
+echo "  - Validate on commit, and before push"
+echo ""
+echo "Hooks cannot be bypassed with --no-verify"
@@ -0,0 +1,147 @@
+#!/bin/bash
+# Socket Security Pre-commit Hook
+# Prevents committing sensitive data, personal paths, and junk files.
+# This hook is enforced and cannot be bypassed with --no-verify.
+
+set -e
+
+# Detect if --no-verify was used.
+if [ -n "$GIT_AUTHOR_DATE" ]; then
+  # Hook is running during a commit.
+  if ps -ocommand= -p $PPID | grep -q '\--no-verify'; then
+    echo "ERROR: Security hooks cannot be bypassed with --no-verify"
+    echo "These checks are required to prevent accidental credential exposure."
+    exit 1
+  fi
+fi
+
+# Colors for output.
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+# Allowed public API key (used in socket-lib).
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+echo "${GREEN}Running Socket Security pre-commit checks...${NC}"
+
+# Get list of staged files.
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+  echo "${GREEN}✓ No files to check${NC}"
+  exit 0
+fi
+
+ERRORS=0
+
+# Check for .DS_Store files.
+echo "Checking for .DS_Store files..."
+if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
+  echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  echo "$STAGED_FILES" | grep '\.DS_Store'
+  echo "Remove with: git reset HEAD \$(git diff --cached --name-only | grep .DS_Store)"
+  ERRORS=$((ERRORS + 1))
+fi
+
+# Check for log files.
+echo "Checking for log files..."
+if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
+  echo "${RED}✗ ERROR: Log file detected!${NC}"
+  echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
+  echo "Log files should not be committed."
+  ERRORS=$((ERRORS + 1))
+fi
+
+# Check for .env files.
+echo "Checking for .env files..."
+if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
+  echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
+  echo "These files should never be committed. Use .env.example instead."
+  ERRORS=$((ERRORS + 1))
+fi
+
+# Check for personal paths in file contents.
+echo "Checking for hardcoded personal paths..."
+for file in $STAGED_FILES; do
+  if [ -f "$file" ]; then
+    if grep -l '/Users/jdalton/' "$file" 2>/dev/null | grep -v '.test.'; then
+      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      grep -n '/Users/jdalton/' "$file" | head -3
+      echo "Replace with relative paths or environment variables."
+      ERRORS=$((ERRORS + 1))
+    fi
+    if grep -l '/home/jdalton/' "$file" 2>/dev/null; then
+      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      grep -n '/home/jdalton/' "$file" | head -3
+      ERRORS=$((ERRORS + 1))
+    fi
+    if grep -l 'C:\\Users\\jdalton\\' "$file" 2>/dev/null; then
+      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      grep -n 'C:\\Users\\jdalton\\' "$file" | head -3
+      ERRORS=$((ERRORS + 1))
+    fi
+  fi
+done
+
+# Check for Socket API keys (except the allowed public key).
+echo "Checking for API keys..."
+for file in $STAGED_FILES; do
+  if [ -f "$file" ]; then
+    # Look for Socket API keys.
+    if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -q .; then
+      echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | head -3
+      echo "If this is a real API key, DO NOT COMMIT IT."
+      echo "Allowed public key: $ALLOWED_PUBLIC_KEY"
+      # Not blocking on this, just warning.
+      # ERRORS=$((ERRORS + 1))
+    fi
+  fi
+done
+
+# Check for common secret patterns.
+echo "Checking for potential secrets..."
+for file in $STAGED_FILES; do
+  if [ -f "$file" ]; then
+    # Skip test files and example files.
+    if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/'; then
+      continue
+    fi
+
+    # Check for AWS keys.
+    if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+      echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for GitHub tokens.
+    if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+      echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for private keys.
+    if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+      echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+      ERRORS=$((ERRORS + 1))
+    fi
+  fi
+done
+
+if [ $ERRORS -gt 0 ]; then
+  echo ""
+  echo "${RED}✗ Pre-commit check failed with $ERRORS error(s).${NC}"
+  echo "Fix the issues above and try again."
+  echo ""
+  echo "To bypass this check (NOT RECOMMENDED):"
+  echo "  git commit --no-verify"
+  exit 1
+fi
+
+echo "${GREEN}✓ All pre-commit checks passed!${NC}"
+exit 0