git-security-checks

# Git Security Checks

Expert guidance for pre-commit security validation and secret detection using detect-secrets and pre-commit hooks.

## Core Expertise

- **detect-secrets**: Scan for hardcoded secrets and credentials
- **Pre-commit Hooks**: Automated security validation before commits
- **Secrets Baseline**: Manage false positives and legitimate secrets
- **Security-First Workflow**: Prevent credential leaks before they happen

## detect-secrets Workflow

### Initial Setup

```bash
# Install detect-secrets
pip install detect-secrets

# Create initial baseline
detect-secrets scan > .secrets.baseline

# Audit baseline for false positives
detect-secrets audit .secrets.baseline
```

### Pre-commit Scan Workflow

Run detect-secrets before every commit:

```bash
# Scan for new secrets (using existing baseline)
detect-secrets scan --baseline .secrets.baseline

# If new secrets detected, audit them
detect-secrets audit .secrets.baseline

# Stage the updated baseline
git add .secrets.baseline
```

### Audit Process

When new secrets are detected:

```bash
# Run audit to review flagged items
detect-secrets audit .secrets.baseline

# For each detected secret:
# - Press 'y' if it's a real secret (DON'T COMMIT)
# - Press 'n' if it's a false positive (safe to commit)
# - Press 's' to skip for now

# After audit, re-scan to update baseline
detect-secrets scan --baseline .secrets.baseline
```

### Complete Pre-commit Security Flow

```bash
# 1. Scan for secrets with baseline
detect-secrets scan --baseline .secrets.baseline

# 2. If baseline updated, audit new findings
detect-secrets audit .secrets.baseline

# 3. Stage the updated baseline
git add .secrets.baseline

# 4. Run all pre-commit hooks
pre-commit run --all-files --show-diff-on-failure

# 5. Stage your actual changes
git add src/file.ts

# 6. Show what's staged
git status
git diff --cached --stat

# 7. Commit if everything passes
git commit -m "feat(auth): add authentication module"
```

## Pre-commit Hook Integration