Add Aikido pre-commit hook feature with installation and testing scripts

Author: ProxayFox

README.md

@@ -73,12 +73,52 @@ Provides the Lazydocker TUI for managing Docker containers and docker-compose wo
 
 - `version` (string): Lazydocker version to install. Default: `"0.24.2"`
 
+### `aikido-precommit`
+
+Installs [AikidoSec's pre-commit hook](https://github.com/AikidoSec/pre-commit) for scanning secrets, passwords, and API keys before commits. Prevents accidentally committing sensitive information to repositories.
+
+**Features:**
+
+- Scans staged files for secrets, API keys, passwords, and sensitive data
+- Runs automatically on `git commit` when global hooks are configured
+- Supports Linux (x86_64, ARM64) and macOS (ARM64)
+- Lightweight binary with no runtime dependencies
+
+**Usage:**
+
+```jsonc
+{
+    "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+    "features": {
+        "ghcr.io/proxayfox/devcontainer-features/aikido-precommit:1": {}
+    }
+}
+```
+
+**Options:**
+
+- `version` (string): Version of the aikido-local-scanner to install. Default: `"v1.0.116"`
+- `setupGlobalHooks` (boolean): Configure git global hooks path. Default: `true`
+
+**Example:**
+
+```bash
+# Manual scan of a repository
+$ aikido-local-scanner pre-commit-scan /path/to/repo
+
+# Scan current repository
+$ aikido-local-scanner pre-commit-scan "$(git rev-parse --show-toplevel)"
+```
+
 ## Repository Structure
 
 This repository follows the standard dev container Features layout:
 
 ```text
 ├── src
+│   ├── aikido-precommit
+│   │   ├── devcontainer-feature.json
+│   │   └── install.sh
 │   ├── clickhouse-local
 │   │   ├── devcontainer-feature.json
 │   │   └── install.sh
@@ -88,6 +128,8 @@ This repository follows the standard dev container Features layout:
 ├── test
 │   ├── _global
 │   │   └── common-utils.sh
+│   ├── aikido-precommit
+│   │   └── test.sh
 │   ├── clickhouse-local
 │   │   └── test.sh
 │   └── lazydocker

src/aikido-precommit/README.md

@@ -0,0 +1,98 @@
+# Aikido Secrets Pre-commit Hook (aikido-precommit)
+
+Installs [AikidoSec's pre-commit hook](https://github.com/AikidoSec/pre-commit) for scanning secrets, passwords, and API keys before commits. This helps prevent accidentally committing sensitive information to your repositories.
+
+## Features
+
+- Scans staged files for secrets, API keys, passwords, and other sensitive data
+- Runs automatically on `git commit` when global hooks are configured
+- Supports Linux (x86_64, ARM64) and macOS (ARM64)
+- Lightweight binary with no runtime dependencies
+- Configurable version selection
+
+## Usage
+
+Add this Feature to your `devcontainer.json`:
+
+```jsonc
+{
+    "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+    "features": {
+        "ghcr.io/proxayfox/devcontainer-features/aikido-precommit:1": {}
+    }
+}
+```
+
+### With Custom Options
+
+```jsonc
+{
+    "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+    "features": {
+        "ghcr.io/proxayfox/devcontainer-features/aikido-precommit:1": {
+            "version": "v1.0.116",
+            "setupGlobalHooks": true
+        }
+    }
+}
+```
+
+## Options
+
+Option             | Type    | Default    | Description
+------------------ | ------- | ---------- | ------------------------------------------------------------------
+`version`          | string  | `v1.0.116` | Version of the aikido-local-scanner to install
+`setupGlobalHooks` | boolean | `true`     | Configure git global hooks path (set to `false` for download-only)
+
+## How It Works
+
+When `setupGlobalHooks` is `true` (default), the Feature:
+
+1. Installs the `aikido-local-scanner` binary to `/usr/local/bin/`
+2. Configures `git config --global core.hooksPath` to use `/etc/git-hooks/` (or respects an existing hooks path)
+3. Creates a `pre-commit` hook that runs the scanner on every commit
+
+When you run `git commit`, the scanner will:
+
+- Analyze staged files for potential secrets
+- Block the commit if secrets are detected
+- Allow the commit to proceed if no issues are found
+
+## Manual Usage
+
+You can also run the scanner manually:
+
+```bash
+# Scan a repository
+aikido-local-scanner pre-commit-scan /path/to/repo
+
+# Scan the current repository
+aikido-local-scanner pre-commit-scan "$(git rev-parse --show-toplevel)"
+```
+
+## Download-Only Mode
+
+If you prefer to manage git hooks yourself, set `setupGlobalHooks` to `false`:
+
+```jsonc
+{
+    "features": {
+        "ghcr.io/proxayfox/devcontainer-features/aikido-precommit:1": {
+            "setupGlobalHooks": false
+        }
+    }
+}
+```
+
+This installs only the binary without modifying your git configuration.
+
+## Supported Platforms
+
+- Linux x86_64
+- Linux ARM64
+- macOS ARM64 (Apple Silicon)
+
+## Resources
+
+- [AikidoSec Pre-commit Repository](https://github.com/AikidoSec/pre-commit)
+- [Aikido Security](https://www.aikido.dev/)

src/aikido-precommit/devcontainer-feature.json

@@ -0,0 +1,23 @@
+{
+    "name": "Aikido Secrets Pre-commit Hook",
+    "id": "aikido-precommit",
+    "version": "1.0.0",
+    "description": "Installs AikidoSec's pre-commit hook for scanning secrets, passwords, and API keys before commits",
+    "documentationURL": "https://github.com/AikidoSec/pre-commit",
+    "options": {
+        "version": {
+            "type": "string",
+            "default": "v1.0.116",
+            "description": "Version of the aikido-local-scanner to install"
+        },
+        "setupGlobalHooks": {
+            "type": "boolean",
+            "default": true,
+            "description": "Configure git global hooks path (set to false for download-only)"
+        }
+    },
+    "installsAfter": [
+        "ghcr.io/devcontainers/features/common-utils",
+        "ghcr.io/devcontainers/features/git"
+    ]
+}

src/aikido-precommit/install.sh

@@ -0,0 +1,159 @@
+#!/bin/bash
+
+set -e
+
+# Get options from environment (feature options are uppercase)
+VERSION="${VERSION:-"v1.0.116"}"
+SETUP_GLOBAL_HOOKS="${SETUPGLOBALHOOKS:-"true"}"
+
+# Normalize version format (ensure it starts with 'v')
+if [[ ! "$VERSION" =~ ^v ]]; then
+    VERSION="v${VERSION}"
+fi
+
+echo "Installing Aikido pre-commit scanner version ${VERSION}..."
+
+# Ensure required tools are installed
+export DEBIAN_FRONTEND=noninteractive
+
+install_if_missing() {
+    if ! command -v "$1" >/dev/null 2>&1; then
+        echo "Installing $1..."
+        apt-get update -y
+        apt-get install -y "$2"
+    fi
+}
+
+install_if_missing curl curl
+install_if_missing unzip unzip
+install_if_missing git git
+
+# Detect platform and architecture
+OS=$(uname -s)
+ARCH=$(uname -m)
+
+case "$OS" in
+    Linux)
+        PLATFORM="linux"
+        ;;
+    Darwin)
+        PLATFORM="darwin"
+        ;;
+    MINGW*|MSYS*|CYGWIN*)
+        PLATFORM="windows"
+        ;;
+    *)
+        echo "Error: Unsupported operating system: $OS"
+        exit 1
+        ;;
+esac
+
+case "$ARCH" in
+    x86_64)
+        ARCH_NAME="X86_64"
+        ;;
+    aarch64|arm64)
+        ARCH_NAME="ARM64"
+        ;;
+    *)
+        echo "Error: Unsupported architecture: $ARCH"
+        exit 1
+        ;;
+esac
+
+# Construct download URL
+BASE_URL="https://aikido-local-scanner.s3.eu-west-1.amazonaws.com/${VERSION}"
+BINARY_NAME="aikido-local-scanner"
+DOWNLOAD_FILE="${BINARY_NAME}.zip"
+DOWNLOAD_URL="${BASE_URL}/${PLATFORM}_${ARCH_NAME}/${DOWNLOAD_FILE}"
+
+echo "Downloading from: $DOWNLOAD_URL"
+
+# Create temp directory with cleanup trap
+TEMP_DIR=$(mktemp -d)
+trap 'rm -rf "$TEMP_DIR"' EXIT
+
+# Download the archive
+if ! curl -fsSL -o "${TEMP_DIR}/${DOWNLOAD_FILE}" "$DOWNLOAD_URL"; then
+    echo "Error: Failed to download aikido-local-scanner from $DOWNLOAD_URL"
+    exit 1
+fi
+
+# Extract and install
+echo "Extracting aikido-local-scanner..."
+unzip -q "${TEMP_DIR}/${DOWNLOAD_FILE}" -d "${TEMP_DIR}"
+
+# Install to /usr/local/bin (system-wide for container)
+INSTALL_DIR="/usr/local/bin"
+install -m 755 "${TEMP_DIR}/${BINARY_NAME}" "${INSTALL_DIR}/${BINARY_NAME}"
+
+echo "Installed ${BINARY_NAME} to ${INSTALL_DIR}/${BINARY_NAME}"
+
+# Setup global git hooks if requested
+if [ "$SETUP_GLOBAL_HOOKS" = "true" ]; then
+    echo "Configuring global git hooks..."
+
+    # Determine hooks directory
+    GLOBAL_HOOKS_DIR="/etc/git-hooks"
+
+    # Check if core.hooksPath is already set
+    EXISTING_HOOKS_PATH=$(git config --global core.hooksPath 2>/dev/null || echo "")
+
+    if [ -n "$EXISTING_HOOKS_PATH" ]; then
+        echo "Using existing hooks path: $EXISTING_HOOKS_PATH"
+        ACTUAL_HOOKS_DIR="$EXISTING_HOOKS_PATH"
+    else
+        echo "Setting global hooks path to: $GLOBAL_HOOKS_DIR"
+        git config --global core.hooksPath "$GLOBAL_HOOKS_DIR"
+        ACTUAL_HOOKS_DIR="$GLOBAL_HOOKS_DIR"
+    fi
+
+    # Create hooks directory if it doesn't exist
+    mkdir -p "$ACTUAL_HOOKS_DIR"
+
+    # Create/update pre-commit hook
+    PRECOMMIT_HOOK="${ACTUAL_HOOKS_DIR}/pre-commit"
+
+    # Define the Aikido hook snippet
+    AIKIDO_HOOK_START="# --- Aikido local scanner ---"
+    AIKIDO_HOOK_END="# --- End Aikido local scanner ---"
+    AIKIDO_HOOK_SNIPPET="${AIKIDO_HOOK_START}
+[ -x \"${INSTALL_DIR}/${BINARY_NAME}\" ] || { echo \"Aikido local scanner not found at ${INSTALL_DIR}/${BINARY_NAME}\"; exit 1; }
+REPO_ROOT=\"\$(git rev-parse --show-toplevel)\"
+\"${INSTALL_DIR}/${BINARY_NAME}\" pre-commit-scan \"\$REPO_ROOT\"
+${AIKIDO_HOOK_END}"
+
+    # Check if hook file exists and if Aikido snippet is already present
+    if [ -f "$PRECOMMIT_HOOK" ]; then
+        if grep -q "$AIKIDO_HOOK_START" "$PRECOMMIT_HOOK"; then
+            echo "Aikido hook already present in pre-commit, skipping..."
+        else
+            echo "Appending Aikido hook to existing pre-commit..."
+            echo "" >> "$PRECOMMIT_HOOK"
+            echo "$AIKIDO_HOOK_SNIPPET" >> "$PRECOMMIT_HOOK"
+        fi
+    else
+        echo "Creating new pre-commit hook..."
+        echo "#!/bin/sh" > "$PRECOMMIT_HOOK"
+        echo "" >> "$PRECOMMIT_HOOK"
+        echo "$AIKIDO_HOOK_SNIPPET" >> "$PRECOMMIT_HOOK"
+    fi
+
+    # Make hook executable
+    chmod +x "$PRECOMMIT_HOOK"
+
+    echo "Global pre-commit hook configured successfully!"
+fi
+
+# Verify installation
+if command -v aikido-local-scanner >/dev/null 2>&1; then
+    echo ""
+    echo "✅ aikido-local-scanner installed successfully!"
+    echo "   Location: $(which aikido-local-scanner)"
+    if [ "$SETUP_GLOBAL_HOOKS" = "true" ]; then
+        echo "   Global hooks: $(git config --global core.hooksPath)"
+    fi
+else
+    echo "❌ Error: aikido-local-scanner installation failed"
+    exit 1
+fi