Pre-receive hook support in Github enterprise

[roshvin]

Describe the bug
Pre-receive hook support in Github enterprise

Hi,

is there any option or example where we can use this as a pre-receive hook at Github Enterprise server.

Thanks

[bradlarsen]

Hi @roshvin, and thanks for the question.

I'm not aware of any example at present for using Nosey Parker in a pre-receive hook for GitHub Enterprise Server. (Presumably the use case there is to be able to scan for secrets at push time, and block pushing of commits that contain secrets.)

To make that work, you'd need to script some pieces: in a pre-receive hook, run noseyparker scan on the received content, and then perhaps noseyparker report -f json, followed by some test in the pre-receive hook that would cause it to fail if there were any Nosey Parker findings in the JSON output. I've not written such a thing myself.

One thing you would want to do if you set up a mechanism like this is specify a custom ruleset to only enable rules that have essentially no false positives, as you don't want to spuriously be blocking developer's commits. This mechanism is not well documented, but it involves writing a YAML file with the list of rule IDs that you want to enable, and then invoking noseyparker scan --rules-path YOUR_YAML_FILE --ruleset YOUR_RULESET_NAME.

See here for an example ruleset: https://github.com/praetorian-inc/noseyparker/blob/0cce95910be38058cc0cf00b548a892e3ed5dc35/crates/noseyparker/data/default/builtin/rulesets/default.yml

Let me know if you have questions about this and I will write up more documentation.

[roshvin]

Hi @bradlarsen thanks a lot for the quick help/support.