Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .githooks/pre-commit
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/bin/sh
set -eu

if ! command -v semgrep >/dev/null 2>&1; then
echo "semgrep is not installed or not in PATH; aborting commit." >&2
exit 1
fi

if ! command -v gitleaks >/dev/null 2>&1; then
echo "gitleaks is not installed or not in PATH; aborting commit." >&2
exit 1
fi

if [ -f /opt/homebrew/etc/ca-certificates/cert.pem ]; then
export SSL_CERT_FILE="${SSL_CERT_FILE:-/opt/homebrew/etc/ca-certificates/cert.pem}"
fi

export SEMGREP_SEND_METRICS="${SEMGREP_SEND_METRICS:-off}"
export SEMGREP_LOG_FILE="${SEMGREP_LOG_FILE:-${TMPDIR:-/tmp}/semgrep-pre-commit.log}"

files_file="$(mktemp "${TMPDIR:-/tmp}/semgrep-staged.XXXXXX")"
trap 'rm -f "$files_file"' EXIT

git diff --cached --name-only --diff-filter=ACMR -z > "$files_file"

if [ ! -s "$files_file" ]; then
exit 0
fi

echo "Running Gitleaks on staged changes..."

gitleaks protect \
--staged \
--redact \
--no-banner \
--log-level warn

echo "Running Semgrep on staged files..."

xargs -0 semgrep \
--config .semgrep.yml \
--error \
--baseline-commit HEAD \
--disable-version-check \
--metrics off \
--quiet \
< "$files_file"
39 changes: 39 additions & 0 deletions .semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
rules:
- id: dart-hardcoded-api-token
languages:
- dart
severity: ERROR
message: This looks like a hardcoded secret. Move credentials to secure storage or environment configuration.
pattern-regex: (?i)(api[_-]?key|secret|token|password|passwd|pwd)\s*[:=]\s*["'][A-Za-z0-9_./+=-]{16,}["']

- id: dart-insecure-md5
languages:
- dart
severity: ERROR
message: MD5 is not safe for security-sensitive hashing.
pattern-either:
- pattern: md5.convert(...)
- pattern: Hmac(md5, ...)

- id: dart-insecure-sha1
languages:
- dart
severity: ERROR
message: SHA-1 is not safe for security-sensitive hashing.
pattern-either:
- pattern: sha1.convert(...)
- pattern: Hmac(sha1, ...)

- id: dart-accept-all-certificates
languages:
- dart
severity: ERROR
message: Do not accept every TLS certificate. Validate the server certificate instead.
pattern: $CLIENT.badCertificateCallback = (...) => true

- id: generic-hardcoded-secret
languages:
- generic
severity: ERROR
message: This looks like a hardcoded secret. Move credentials to secure storage or environment configuration.
pattern-regex: (?i)(api[_-]?key|secret|token|password|passwd|pwd)\s*[:=]\s*['"][A-Za-z0-9_./+=-]{16,}['"]
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,3 +117,14 @@ flutter build apk --release
flutter analyze
flutter test
```

## セキュリティチェック

コミット前に、ステージ済みの変更を Semgrep と Gitleaks で検査します。

```bash
brew install semgrep gitleaks
git config core.hooksPath .githooks
```

設定後は、`git commit` の実行時にセキュリティチェックが自動で行われます。