ggshield
ggshield copied to clipboard
GitGuardian
Document or create a configuration option to select hooked repositories globally
Is your feature request related to a problem? Please describe. This is more of a question first, but maybe there is an improvement to be done: is there a simple way to configure the global git pre-commit hook to only trigger on specific repository names ? Wildcard support would be appreciated 😎 It would be nice to have a config file, but doing it through the API would be better, to remotely enforce checks on all company laptops etc...
Describe the solution you'd like Something like a .config/gitguardian.yml config file where we would configure properties like:
precommit.scan.allowlist = *
precommit.scan.ignorelist = *test-repo*
Describe alternatives you've considered You can configure hooks per repository but it's not sustainable, it would be great to define an Org-level list of repositories where pre-commit is enabled, and disabled. Kudos if GGShield can fetch that configuration option from the API directly, meaning that the Org can just roll out the precommit hook, then configure it remotely too.
Additional context Add any other context or screenshots about the feature request here.
Seems that the config doc page has no notion of "global config" at the tool level, it's more of a scanning config, not a "usage of the tool" config https://docs.gitguardian.com/internal-repositories-monitoring/gg_shield/configuration
Hi, that is an interesting question! Have you looked into using https://pre-commit.com/ as an alternative to the global hook? ggshield supports it, so you can configure it (and other tools) in all supported repositories.
Hi @agateau-gg ! I left a comment to https://github.com/pre-commit/pre-commit/issues/281 but I believe this really is not yet supported, I don't want to add "yet another .config file" in all the repositories, just a global local config, and tell it to not scan some repositories 🤔
No luck, seems like pre-commit is not maintained 😢 I found a simple way to create a global git hook pre-commit denylist anyways, it would definitely be improved with wildcard support, even better I could fetch some random API to get the denylist, but that's be nice to have directly in a GG API 😎
REPONAME=$(git config --get remote.origin.url | cut -d '/' -f 4,5)
echo "pre-commit author is deaf"
echo "Current repository is $REPONAME"
IN_DENY=$(grep -Fxq $REPONAME ~/.config/gitguardian/denylist.txt)
IN_ALLOW=$(grep -Fxq $REPONAME ~/.config/gitguardian/allowlist.txt)
if $IN_DENY
then
echo "$REPONAME is not going to be scanned"
else
echo "$REPONAME is going to be scanned"
fi
Great to hear you found an alternative solution! Going to forward your request internally, to see if this is something we want to tackle.
Cool ! It would be a nice feature yeah, you could even handle deeper configuration options per repository/team in theory, this is just a simple filtering
Got some feedback: this is likely going to be integrated as part of some ongoing work we are doing to improve the global configuration. I can't give you an ETA though, so let's just keep this issue open for now.