Pre-receive hooks support

[savely-krasovsky]

Description

Current version (v3.44.0) does not support pre-receive hooks at all. go-git and git utility don't see incoming commits. go-git cannot do it due to upstream bug (go-git/go-git#812) while git needs special environment variables.

Problem to be Addressed

Pre-receive hooks are a nice way to improve security proactively.

Description of the Preferred Solution

I have prepared an initial fix, #1499, which allows the use of Trufflehog in pre-receive hooks. However, the functionality is still limited.

There are a few problems:

1. The hook needs to scan only new commits. The --since-commit and --branch options allow scanning a specific range, but in some cases, commits have already been scanned when they were pushed to other branches. Usually, people use the --not --all flags with the git rev-list command to avoid this. So an easy fix would be to add an option that will allow to supply Trufflehog with a list of commits need to be scanned.
2. Trufflehog should have an option with more compact output.
3. Probably it should also have an option to disable verification mechanism, otherwise it will timeout in internet restricted environments.

References

• initial support for bare repositories #1499

[zricethezav]

@L11R
Since releasing #1499 can this issue be closed? Is item 1. necessary?

Answering the other items:

Trufflehog should have an option with more compact output.

TH will emit a compact json output with the --json flag

Probably it should also have an option to disable verification mechanism, otherwise it will timeout in internet restricted environments.

There is, use --no-verification

[savely-krasovsky]

@zricethezav yes, you could close it.

[roshvin]

hi @L11R could you pls share some insite on how pre-receive hook script is configured. or the command is running in pre-receive hook