Add detect-secrets as a new git hook

onnimonni · onnimonni · commit 387c2cd90bdd · 2025-03-15T22:36:54.000+01:00
diff --git a/modules/hooks.nix b/modules/hooks.nix
@@ -2556,6 +2556,26 @@ in
           entry = "${hooks.detect-private-keys.package}/bin/detect-private-key";
           types = [ "text" ];
         };
+      detect-secrets =
+        {
+          name = "detect-secrets";
+          description = "An enterprise friendly way of detecting and preventing secrets in code.";
+          package = tools.detect-secrets;
+          entry =
+            let
+              # 1. Check if `.secrets.baseline` exists if not we need to run `detect-secrets scan` to create it.
+              # 2. Run `detect-secrets audit .secrets.baseline` to scan the files.
+              script = pkgs.writeShellScript "precommit-detect-secrets" ''
+                if [ ! -f .secrets.baseline ]; then
+                  ${hooks.detect-secrets.package}/bin/detect-secrets scan
+                fi
+                ${hooks.detect-secrets.package}/bin/detect-secrets audit .secrets.baseline
+              '';
+            in
+              toString
+              script;
+          types = [ "text" ];
+        };
       dhall-format = {
         name = "dhall-format";
         description = "Dhall code formatter.";
