#!/bin/bash
SENSITIVE_PATTERNS=(
"client-key-data:"
"BEGIN RSA PRIVATE KEY"
"BEGIN EC PRIVATE KEY"
"BEGIN DSA PRIVATE KEY"
"BEGIN OPENSSH PRIVATE KEY"
"BEGIN PRIVATE KEY"
)
FOUND=0
for pattern in "${SENSITIVE_PATTERNS[@]}"; do
MATCHES=$(git diff --cached --diff-filter=ACM -U0 | grep -n "$pattern" 2>/dev/null)
if [ -n "$MATCHES" ]; then
echo "ERROR: Sensitive content detected in staged files:"
echo "$MATCHES"
echo "Pattern matched: $pattern"
echo "Please remove sensitive data before committing."
FOUND=1
fi
done
KUBECONFIG_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(conf|kubeconfig)$' 2>/dev/null)
if [ -n "$KUBECONFIG_FILES" ]; then
for f in $KUBECONFIG_FILES; do
if git diff --cached --diff-filter=ACM -U0 "$f" | grep -q "client-key-data\|BEGIN.*PRIVATE KEY"; then
echo "ERROR: Kubeconfig file with private key detected: $f"
FOUND=1
fi
done
fi
if [ $FOUND -eq 1 ]; then
echo "Commit rejected. Use 'git commit --no-verify' to bypass (NOT recommended)."
exit 1
fi
exit 0