From e937b2502404585d641e93b730e4f07560d622c8 Mon Sep 17 00:00:00 2001 From: Byron Williams Date: Fri, 8 May 2026 10:30:28 -0700 Subject: [PATCH] fix(security): scope TruffleHog hook to staged files only Replace `trufflehog git file://. --since-commit HEAD` with a staged-files scan via `git diff --cached | xargs trufflehog filesystem`. The git-history mode also traverses fetched remote branches in the local object store, which produces false positives from placeholder credentials in unmerged branches. See `.claude/rules/pre-commit.md` invariant `PC-HOOK-STAGED-SCOPE` for the general principle (pre-commit hooks must scope to staged files only; full-history scanning belongs in CI). Co-Authored-By: Claude Sonnet 4.6 --- .pre-commit-config.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a945573..58a4f3e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,10 +63,11 @@ repos: - id: trufflehog name: TruffleHog Secret Scanner description: Detect secrets in your data before committing - entry: >- - bash -c 'command -v trufflehog >/dev/null 2>&1 && - trufflehog git file://. --since-commit HEAD --results=verified,unknown --fail || - echo "TruffleHog not installed - skipping"' + # Scan staged files only. The git-history mode (--since-commit HEAD) also + # traverses fetched remote branches in the local object store, producing + # false positives from unmerged branches. Staged-file scanning is the + # correct scope for a pre-commit hook; git history scanning belongs in CI. + entry: bash -c 'command -v trufflehog >/dev/null 2>&1 && (git diff --cached -z --diff-filter=d --name-only 2>/dev/null | xargs -0 -r trufflehog filesystem --fail --no-update --results=verified,unknown) || echo "TruffleHog not installed - skipping secret scan"' language: system pass_filenames: false stages: [pre-commit]