Linter update

.husky/lint-config.sh

@@ -1,9 +1,10 @@
 # This config file is sourced by the pre-commit script.
+# shellcheck disable=SC2034,SC2148
 
 # Change 1 to 0 to disable linting.
 enabled=1
 
-# Directories containing Node.js projects to be linted, separated by spaces.
+# Directories containing JavaScript projects to be linted, separated by spaces.
 node_dirs='backend frontend'
 
 # Command used to run a lint check.

.husky/pre-commit

@@ -3,6 +3,8 @@
 # produces a "cannot spawn" error with a bash shebang, since it uses dash.
 # However, dash is not available on many Unix-like systems.
 
+# shellcheck disable=SC2317
+
 log() {
 	echo "${0}: ${*}" >&2
 }
@@ -61,7 +63,7 @@ ask_yes_no() {
 	fi
 
 	while :; do
-		printf "${0}: ${prompt}"
+		printf "%s: %s" "${0}" "${prompt}"
 		read -r selection
 		selection="$(parse_yes_no "${selection}")"
 
@@ -86,7 +88,7 @@ ask_yes_no() {
 explain_no_verify() {
 	log "If you wish to bypass the lint check entirely,"
 	log "use the following command:"
-	log "    git commit --no-verify"
+	log "    NO_LINT=1 git commit"
 }
 
 dir_check() {
@@ -176,12 +178,17 @@ cancel() {
 
 main() {
 	config_file="$(dirname "${0}")/lint-config.sh"
+
+	# shellcheck source=./lint-config.sh
 	if ! . "${config_file}"; then
 		error "Error while sourcing config file '${config_file}'."
 		exit 1
 	fi
 
-	if [ "${enabled}" -eq 0 ]; then
+	secret_scan_script="$(dirname "${0}")/../.secret-scan/secret-scan.js"
+	node "${secret_scan_script}" || exit
+
+	if [ "${enabled}" = 0 ] || [ "${NO_LINT}" = 1 ]; then
 		warn "Lint check has been disabled."
 		exit 0
 	fi

.husky/pre-push

@@ -0,0 +1,3 @@
+#!/bin/sh
+secret_scan_script="$(dirname "${0}")/../.secret-scan/secret-scan.js"
+node "${secret_scan_script}"

.secret-scan/.gitignore

@@ -0,0 +1,2 @@
+/secret-scan-cache.json
+/secret-scan-report.json

.secret-scan/secret-scan-config.json

@@ -0,0 +1,35 @@
+{
+  "//": [
+    "Regexes used to scan the repository contents for secrets.",
+    "If possible, try to make the regex match the entire secret, or",
+    "allowedStrings might not work as expected. For example, if a regex",
+    "matches only 'mongodb', this string by itself does not contain any of the",
+    "strings in the allowlist, so it will still be flagged."
+  ],
+  "secretRegexes": {
+    "mongodbUrl": "mongodb([+]srv)?://[^\\s]+",
+    "firebaseJsonPrivateKeyFile": "-----BEGIN PRIVATE KEY-----[^\\s]+",
+    "emailAppPassword": "EMAIL_APP_PASSWORD=.*"
+  },
+  "//": [
+    "To prevent a particular string from being flagged, add it (or a substring",
+    "of it) to this array. This can be useful if your repository contains an",
+    "example of what a credential should look like, a development credential",
+    "(e.g. a database on localhost), or a previously leaked credential that",
+    "has already been revoked. Obviously, do not put active credentials here."
+  ],
+  "allowedStrings": [
+    "mongodb://127.0.0.1",
+    "mongodb://localhost",
+
+    "EMAIL_APP_PASSWORD=\"<example>\"",
+    "EMAIL_APP_PASSWORD='<example>'",
+    "EMAIL_APP_PASSWORD=\"xxx\""
+  ],
+  "//": [
+    "Do not check for secrets in these files. You should almost always use",
+    "allowedStrings instead of this. We only add this config because it",
+    "naturally contains things that look like secrets, but aren't."
+  ],
+  "skippedFiles": [".secret-scan/secret-scan-config.json"]
+}