fix: harden hooks, scanner, and CLI behavior#52
Merged
pixincreate merged 25 commits intomainfrom May 4, 2026
Merged
Conversation
- Add shell injection protection in generated hooks (escape user input) - Make detector loading portable (check exe dir first, then CWD) - Handle non-UTF8 files gracefully (skip binary files) - Fix filenames with spaces via IFS= read -r in pre-commit hook - Distinguish secret detection (exit 1) from runtime errors - Clean CLI help text (remove typos and non-English text) - Add comprehensive tests for new features Closes #32
pixincreate
added
bug
- Add exit_code_on_secrets/no_secrets tests (verify findings behavior) - Add verify_integrity_flag test - Add exclude_pattern_filtering test (verify *.log exclusion works) - Add portable_config_loading test (detectors.toml loading) - Add hook_missing_binary_path and hook_missing_detectors_toml tests 21 tests now pass (was 14). Closes #32
- Document security hardening in hooks - Add Development section with just commands - Add Security Notes section - Update project structure - Add CHANGELOG entry for v1.1.0
- Move hook templates to templates/pre-push.sh and templates/pre-commit.sh - Rename v->escaped, ch->character for clarity - just check passes (21 tests)
- DEFAULT_BINARY_NAME constant - Remove generic render_template, use specific render_pre_push/pre_commit - Remove empty string placeholders from templates - just check passes
- find_keywatch() searches: PATH -> hook_dir -> target/debug - Works during development without cargo install - Remove blocking local hooks
Consolidate ScanMetadata and ReportMetadata into single struct. Move scan_time to report level, not metadata level.
- Add EXIT_MODE_ALWAYS, EXIT_MODE_CRITICAL, EXIT_MODE_STRICT constants - Add SEVERITY_HIGH constant - Use descriptive variable names instead of single-char - Remove redundant imports
- Output summary instead of JSON by default (verbose for full JSON) - Add install.sh script for easy installation to ~/.local/bin or /usr/local/bin - Add uninstall.sh script for clean removal - Update README with script-based installation instructions
- Rewrite README to be concise (~50 lines) - Add binary aliases: keywatch, watch (in addition to key-watch) - Simplify install script: cargo install first, then local binary fallback - Remove legacy hooks/keywatch.sh - Remove .pre-commit-config.yaml - Default: all repos allowed (no restrictions)
- Simplify README (~60 lines) - Rewrite CHANGELOG with clear sections - Add tests: binary_aliases, exit_mode_always, exit_mode_critical
- scanner_tests.rs (9 tests) - hooks_tests.rs (5 tests) - report_tests.rs (2 tests) - exit_tests.rs (5 tests) - utils_tests.rs (2 tests) 24 tests pass
There was a problem hiding this comment.
Pull request overview
This PR hardens and expands KeyWatch’s CLI and git-hook workflow by adding hook generation/installation, improving detector config discovery, adding non‑UTF8 handling, and reorganizing tests/docs to match the new behavior.
Changes:
- Add a hooks module + hook templates and a CLI pathway to install
pre-commit/pre-pushhooks. - Make detector loading more portable (exe-relative lookup) and make scanning handle non‑UTF8 files without crashing.
- Restructure the test suite and simplify documentation/packaging (new binaries/aliases, justfile, install script).
Reviewed changes
Copilot reviewed 23 out of 24 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
tests/utils_tests.rs |
Adds tests for write_to_file and detector initialization. |
tests/scanner_tests.rs |
Adds scanning tests including exclusions and non‑UTF8 handling. |
tests/report_tests.rs |
Adds report serialization tests aligned to the new report shape. |
tests/integration_tests.rs |
Removes legacy integration tests (split into focused test modules). |
tests/hooks_tests.rs |
Adds tests for hook generation and basic template expectations. |
tests/exit_tests.rs |
Adds tests intended to cover exit behaviors (currently doesn’t assert process exit codes). |
templates/pre-push.sh |
New pre-push hook template with PATH/config checks and a scan invocation. |
templates/pre-commit.sh |
New pre-commit hook template to scan staged files. |
src/utils.rs |
Adds cross-platform make_executable() helper. |
src/scanner.rs |
Switches run_scan to Result, adds exclusion globs, non‑UTF8 skipping, multiline partitioning. |
src/report.rs |
Adjusts report schema + returns Result from create_report, adds severity counting helper. |
src/main.rs |
Adds hook install flow, integrity check, new exit-mode behavior and summary output. |
src/lib.rs |
Exports the new hooks module / re-exports hook generators. |
src/hooks.rs |
New module to render hook templates and attempt shell-escaping of CLI inputs. |
src/detector.rs |
Makes detector regex compilation fallible and adds exe-relative config lookup. |
src/cli.rs |
Extends CLI options for hooks, exclusions, exit modes, integrity verification, repo controls. |
scripts/install.sh |
Adds install/uninstall helper script and local install fallbacks. |
README.md |
Replaces long-form documentation with a shorter usage-focused README. |
justfile |
Adds just commands for common dev tasks. |
hooks/keywatch.sh |
Removes legacy hook script. |
CHANGELOG.md |
Updates changelog entries to reflect new features/cleanup. |
Cargo.toml |
Moves to Rust 2024 edition, adds multiple binaries/aliases, updates deps, adds glob. |
Cargo.lock |
Updates lockfile for dependency/version changes. |
.pre-commit-config.yaml |
Removes legacy pre-commit configuration. |
pixincreate
force-pushed
the
fix/keywatch-security-hooks
branch
from
d85d82e to
d3fa519
Compare
pixincreate
force-pushed
the
fix/keywatch-security-hooks
branch
from
d3fa519 to
6ecdb71
Compare
pixincreate
changed the title
pixincreate
force-pushed
the
fix/keywatch-security-hooks
branch
from
e49402a to
07070ac
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security and usability fixes for KeyWatch:
Security
key-watchis on PATH before runningUsability
IFS= read -rfor safe handlingCleanup
Testing
test_non_utf8_file_handlingtest_hook_generation_pre_pushtest_hook_generation_pre_committest_hook_shell_escapingAll tests pass (14 total).
Files changed:
src/hooks.rs- New module for hook generationsrc/detector.rs- Portable config loadingsrc/scanner.rs- Non-UTF8 handlingsrc/lib.rs- Export hookssrc/main.rs- Use hooks moduletests/integration_tests.rs- New tests