Pre receive hook feature for secret scan(AST-89345) (#1146)

* Moved to common hooks place

* removed common hooks code

* Added pre receive commands

* Adding the commit version of secret detection

# Conflicts:
#	go.mod

# Conflicts:
#	go.sum

# Conflicts:
#	go.sum

* Added pre receive in Hooks doc

* formatted

* typo changes

* formatted the file

* Adding secret detection to depgaurd allow list

* removed whitespace

* formatted with gofmt

* indentation

* indentation

* indentation

* url and formatting fixes

* indentation alignment

* Unit and integration tests

* lint issues fixed

* formatted unit test file

* setting global config git

* changing cx path

* adjusting cx path

* check if cx path exist

* check if cx path exist

* added cxPath

* Adding githubUser and email

* renaming functions

* url and formatting fixes

* indentation alignment

* Unit and integration tests

* lint issues fixed

* formatted unit test file

* setting global config git

* changing cx path

* adjusting cx path

* check if cx path exist

* check if cx path exist

* added cxPath

* Adding githubUser and email

* renaming functions

* removed the git username

* using github actor

* go mod file updated

* Added additional tests for coverage

* secret detection version upgrade

* updegraded the version

* updegraded the version

* updegraded the version

* added latest version of secret detection 1.2.1

* pre receive validate command

* updated the versions

* formatted files

* formatted imports

* reverted the changed manifest parser version back to main

* changed the help text

* removed usused go sum

Author: cx-anjali-deore

.github/workflows/ci.yml

@@ -89,6 +89,7 @@ jobs:
           BITBUCKET_USERNAME: ${{ secrets.BITBUCKET_USERNAME }}
           BITBUCKET_PASSWORD: ${{ secrets.BITBUCKET_PASSWORD }}
           GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+          GITHUB_ACTOR: ${{ github.actor }}
           PR_BITBUCKET_TOKEN: ${{ secrets.PR_BITBUCKET_TOKEN }}
           PR_BITBUCKET_NAMESPACE: "AstSystemTest"
           PR_BITBUCKET_REPO_NAME: "cliIntegrationTest"

.golangci.yml

@@ -49,6 +49,8 @@ linters-settings:
           - github.com/CheckmarxDev/containers-resolver/pkg/containerResolver
           - github.com/Checkmarx/manifest-parser/pkg/parser/models
           - github.com/Checkmarx/manifest-parser/pkg/parser
+          - github.com/Checkmarx/secret-detection/pkg/hooks/pre-commit
+          - github.com/Checkmarx/secret-detection/pkg/hooks/pre-receive
           - github.com/Checkmarx/gen-ai-prompts/prompts/sast_result_remediation
           - github.com/spf13/viper
           - github.com/checkmarx/2ms/v3/lib/reporting

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
 	github.com/Checkmarx/manifest-parser v0.1.0
-	github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf
+	github.com/Checkmarx/secret-detection v1.2.1
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/bouk/monkey v1.0.0
 	github.com/checkmarx/2ms/v3 v3.21.0
@@ -85,7 +85,6 @@ require (
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/checkmarx/2ms v1.4.1-0.20250327145719-b78804cb08c7 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/containerd/cgroups/v3 v3.0.5 // indirect
 	github.com/containerd/containerd v1.7.27 // indirect
@@ -127,7 +126,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/github/go-spdx/v2 v2.3.2 // indirect
-	github.com/gitleaks/go-gitdiff v0.9.0 // indirect
+	github.com/gitleaks/go-gitdiff v0.9.1 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect

go.sum

@@ -77,8 +77,8 @@ github.com/Checkmarx/gen-ai-wrapper v1.0.2 h1:T6X40+4hYnwfDsvkjWs9VIcE6s1O+8DUu0
 github.com/Checkmarx/gen-ai-wrapper v1.0.2/go.mod h1:xwRLefezwNNnRGu1EjGS6wNiR9FVV/eP9D+oXwLViVM=
 github.com/Checkmarx/manifest-parser v0.1.0 h1:swnzQpBFbJap7dgoj39oI6MaIqUlnVuBp5VJzeLVevQ=
 github.com/Checkmarx/manifest-parser v0.1.0/go.mod h1:hh5FX5FdDieU8CKQEkged4hfOaSylpJzub8PRFXa4kA=
-github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf h1:lKiogedU3WzWBc/xI6Xj1BhX2Gp1QBJj8C+czY7CcaE=
-github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf/go.mod h1:mtAHOm1mHGh7MVu6JdYUyitANsLcHNLUTBIh9pTERNI=
+github.com/Checkmarx/secret-detection v1.2.1 h1:Hzpz74dcN/L14Q86ARvPOZpKBnERzGTpy6sl1RXKOTo=
+github.com/Checkmarx/secret-detection v1.2.1/go.mod h1:kbXbtIQisDdB/TNuV7r9HPclEznUyBHLQ5yr7IX7vBQ=
 github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=
 github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
@@ -217,8 +217,6 @@ github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
-github.com/checkmarx/2ms v1.4.1-0.20250327145719-b78804cb08c7 h1:COsC3skOJeJaSoCPuhLZ0byRGKm+ZHlyw5qm9ydlab0=
-github.com/checkmarx/2ms v1.4.1-0.20250327145719-b78804cb08c7/go.mod h1:Bnd2YSh8LQSc4fHAFN0BKz8LYThB6qHg3Wn/+H+WZ4I=
 github.com/checkmarx/2ms/v3 v3.21.0 h1:EcabeDypNMsSidISQbziZ062HjMZQ+Hm/uOJ5AOxK8o=
 github.com/checkmarx/2ms/v3 v3.21.0/go.mod h1:e8f4F94MZ+iCetR/G3aw7nXdPe6TgPI92Zzk/NG1l0o=
 github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs=
@@ -372,8 +370,8 @@ github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrP
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/github/go-spdx/v2 v2.3.2 h1:IfdyNHTqzs4zAJjXdVQfRnxt1XMfycXoHBE2Vsm1bjs=
 github.com/github/go-spdx/v2 v2.3.2/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ=
-github.com/gitleaks/go-gitdiff v0.9.0 h1:SHAU2l0ZBEo8g82EeFewhVy81sb7JCxW76oSPtR/Nqg=
-github.com/gitleaks/go-gitdiff v0.9.0/go.mod h1:pKz0X4YzCKZs30BL+weqBIG7mx0jl4tF1uXV9ZyNvrA=
+github.com/gitleaks/go-gitdiff v0.9.1 h1:ni6z6/3i9ODT685OLCTf+s/ERlWUNWQF4x1pvoNICw0=
+github.com/gitleaks/go-gitdiff v0.9.1/go.mod h1:pKz0X4YzCKZs30BL+weqBIG7mx0jl4tF1uXV9ZyNvrA=
 github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
 github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=

internal/commands/hooks.go

@@ -0,0 +1,49 @@
+package commands
+
+import (
+	"github.com/MakeNowJust/heredoc"
+	"github.com/checkmarx/ast-cli/internal/params"
+	"github.com/checkmarx/ast-cli/internal/wrappers"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+// NewHooksCommand creates the hooks command with pre-commit subcommand
+func NewHooksCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
+	hooksCmd := &cobra.Command{
+		Use:   "hooks",
+		Short: "Manage Git hooks",
+		Long:  "The hooks command enables the ability to manage Git hooks for Checkmarx One.",
+		Example: heredoc.Doc(
+			`
+			$ cx hooks pre-commit secrets-install-git-hook
+			$ cx hooks pre-commit secrets-scan
+			$ cx hooks pre-receive secrets-scan
+		`,
+		),
+		Annotations: map[string]string{
+			"command:doc": heredoc.Doc(
+				`
+                https://checkmarx.com/resource/documents/en/34965-365503-hooks.html
+            `,
+			),
+		},
+	}
+
+	// Add pre-commit and pre-receive subcommand
+	hooksCmd.AddCommand(PreCommitCommand(jwtWrapper))
+	hooksCmd.AddCommand(PreReceiveCommand(jwtWrapper))
+
+	return hooksCmd
+}
+
+func validateLicense(jwtWrapper wrappers.JWTWrapper) error {
+	allowed, err := jwtWrapper.IsAllowedEngine(params.EnterpriseSecretsLabel)
+	if err != nil {
+		return errors.Wrapf(err, "Failed checking license")
+	}
+	if !allowed {
+		return errors.New("Error: License validation failed. Please verify your CxOne license includes Enterprise Secrets.")
+	}
+	return nil
+}

internal/commands/pre-receive.go

@@ -0,0 +1,84 @@
+package commands
+
+import (
+	"fmt"
+	"log"
+
+	prereceive "github.com/Checkmarx/secret-detection/pkg/hooks/pre-receive"
+	"github.com/MakeNowJust/heredoc"
+	"github.com/checkmarx/ast-cli/internal/params"
+	"github.com/checkmarx/ast-cli/internal/wrappers"
+	"github.com/spf13/cobra"
+)
+
+const (
+	SuccessFullSecretsLicenceValidation = "License for pre-receive secret detection has been validated successfully"
+)
+
+func PreReceiveCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
+	preReceiveCmd := &cobra.Command{
+		Use:   "pre-receive",
+		Short: "Manage pre-receive hooks and run secret detection scans",
+		Long:  "The pre-receive command is used for managing Git pre-receive hooks for secret detection",
+		Example: heredoc.Doc(
+			`
+		    $ cx hooks pre-receive secrets-scan
+			`,
+		),
+	}
+	preReceiveCmd.AddCommand(scanSecretsPreReceiveCommand())
+	preReceiveCmd.AddCommand(validateSecretsLicence(jwtWrapper))
+
+	return preReceiveCmd
+}
+
+func scanSecretsPreReceiveCommand() *cobra.Command {
+	var configFile string
+	scanPrereceiveCmd := &cobra.Command{
+		Use:   "secrets-scan",
+		Short: "Run a pre-receive secret detection scan on the pushed branch",
+		Long:  "Runs pre-receive secret detection scans on each pushed branch that is about to enter the remote git repository",
+		Example: heredoc.Doc(
+			`
+		    $ cx hooks pre-receive secrets-scan
+		    $ cx hooks pre-receive secrets-scan --config /path/to/config.yaml		
+			`,
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return prereceive.Scan(configFile)
+		},
+	}
+
+	scanPrereceiveCmd.Flags().StringVarP(&configFile, "config", "c", "", "path to config.yaml file")
+
+	return scanPrereceiveCmd
+}
+
+func validateSecretsLicence(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
+	validateLicence := &cobra.Command{
+		Use:   "validate",
+		Short: "Validates the license for pre-receive secret detection",
+		Long:  "Validates the license for pre-receive secret detection",
+		Example: heredoc.Doc(
+			`
+		    $ cx hooks pre-receive validate
+			`,
+		),
+		RunE: checkLicence(jwtWrapper),
+	}
+	return validateLicence
+}
+
+func checkLicence(jwtWrapper wrappers.JWTWrapper) func(cmd *cobra.Command, args []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		isAllowed, err := jwtWrapper.IsAllowedEngine(params.EnterpriseSecretsLabel)
+		if err != nil {
+			log.Fatalf("%s: %s", "Failed the licence check", err)
+		}
+		if !isAllowed {
+			log.Fatalf("Error: License validation failed. Please ensure that your Checkmarx One license includes Enterprise Secrets")
+		}
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), SuccessFullSecretsLicenceValidation)
+		return nil
+	}
+}

internal/commands/pre_commit.go

@@ -4,47 +4,19 @@ import (
 	"fmt"
 	"strings"
 
-	precommit "github.com/Checkmarx/secret-detection/pkg/hooks"
+	precommit "github.com/Checkmarx/secret-detection/pkg/hooks/pre-commit"
 	"github.com/MakeNowJust/heredoc"
-	"github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
-	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
-// NewHooksCommand creates the hooks command with pre-commit subcommand
-func NewHooksCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
-	hooksCmd := &cobra.Command{
-		Use:   "hooks",
-		Short: "Manage Git hooks",
-		Long:  "The hooks command enables the ability to manage Git hooks for Checkmarx One",
-		Example: heredoc.Doc(
-			`
-            $ cx hooks pre-commit secrets-install-git-hook
-            $ cx hooks pre-commit secrets-scan
-        `,
-		),
-		Annotations: map[string]string{
-			"command:doc": heredoc.Doc(
-				`
-                https://checkmarx.com/resource/documents/en/xxxxx-xxxxx-hooks.html
-            `,
-			),
-		},
-	}
-
-	// Add pre-commit subcommand
-	hooksCmd.AddCommand(PreCommitCommand(jwtWrapper))
-
-	return hooksCmd
-}
-
 // PreCommitCommand creates the pre-commit subcommand
+
 func PreCommitCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
 	preCommitCmd := &cobra.Command{
 		Use:   "pre-commit",
 		Short: "Manage pre-commit hooks and run secret detection scans",
-		Long:  "The pre-commit command enables the ability to manage Git pre-commit hooks for secret detection",
+		Long:  "The pre-commit command enables the ability to manage Git pre-commit hooks for secret detection.",
 		Example: heredoc.Doc(
 			`
             $ cx hooks pre-commit secrets-install-git-hook
@@ -65,22 +37,12 @@ func PreCommitCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
 }
 
 // / validateLicense verifies the user has the required license for secret detection
-func validateLicense(jwtWrapper wrappers.JWTWrapper) error {
-	allowed, err := jwtWrapper.IsAllowedEngine(params.EnterpriseSecretsLabel)
-	if err != nil {
-		return errors.Wrapf(err, "Failed checking license")
-	}
-	if !allowed {
-		return errors.New("Error: License validation failed. Please verify your CxOne license includes Enterprise Secrets.")
-	}
-	return nil
-}
 
 func secretsInstallGitHookCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "secrets-install-git-hook",
 		Short: "Install the pre-commit hook",
-		Long:  "Install the pre-commit hook for secret detection in your repository",
+		Long:  "Install the pre-commit hook for secret detection in your repository.",
 		Example: heredoc.Doc(
 			`
             $ cx hooks pre-commit secrets-install-git-hook
@@ -102,7 +64,7 @@ func secretsUninstallGitHookCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Comma
 	cmd := &cobra.Command{
 		Use:   "secrets-uninstall-git-hook",
 		Short: "Uninstall the pre-commit hook",
-		Long:  "Uninstall the pre-commit hook for secret detection from your repository",
+		Long:  "Uninstall the pre-commit hook for secret detection from your repository.",
 		Example: heredoc.Doc(
 			`
             $ cx hooks pre-commit secrets-uninstall-git-hook
@@ -121,7 +83,7 @@ func secretsUpdateGitHookCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command
 	cmd := &cobra.Command{
 		Use:   "secrets-update-git-hook",
 		Short: "Update the pre-commit hook",
-		Long:  "Update the pre-commit hook for secret detection to the latest version",
+		Long:  "Update the pre-commit hook for secret detection to the latest version.",
 		Example: heredoc.Doc(
 			`
             $ cx hooks pre-commit secrets-update-git-hook
@@ -143,7 +105,7 @@ func secretsScanCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
 	return &cobra.Command{
 		Use:   "secrets-scan",
 		Short: "Run the real-time secret detection scan",
-		Long:  "Run a real-time scan to detect secrets in your code before committing",
+		Long:  "Run a real-time scan to detect secrets in your code before committing.",
 		Example: heredoc.Doc(
 			`
             $ cx hooks pre-commit secrets-scan
@@ -165,7 +127,7 @@ func secretsIgnoreCommand(jwtWrapper wrappers.JWTWrapper) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "secrets-ignore",
 		Short: "Ignore one or more detected secrets",
-		Long:  "Add detected secrets to the ignore list so they won't be flagged in future scans",
+		Long:  "Add detected secrets to the ignore list so they won't be flagged in future scans.",
 		Example: heredoc.Doc(
 			`
             $ cx hooks pre-commit secrets-ignore --resultIds=a1b2c3d4e5f6,f1e2d3c4b5a6
@@ -209,7 +171,7 @@ func secretsHelpCommand() *cobra.Command {
 	return &cobra.Command{
 		Use:   "secrets-help",
 		Short: "Display help for pre-commit commands",
-		Long:  "Display detailed information about the pre-commit commands and options",
+		Long:  "Display detailed information about the pre-commit commands and options.",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cmd.Parent().Help()
 		},

internal/commands/pre_receive_test.go

@@ -0,0 +1,57 @@
+package commands
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/checkmarx/ast-cli/internal/wrappers/mock"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPreReceiveCommand(t *testing.T) {
+	mockJWT := &mock.JWTMockWrapper{}
+	cmd := PreReceiveCommand(mockJWT)
+	assert.NotNil(t, cmd)
+	assert.Equal(t, "pre-receive", cmd.Use)
+	subCmds := cmd.Commands()
+	subCmdName := make([]string, len(subCmds))
+	for i, subCmd := range subCmds {
+		subCmdName[i] = subCmd.Name()
+	}
+	expectedSubCmds := []string{
+		"secrets-scan",
+	}
+
+	for i, expectedSubCmd := range expectedSubCmds {
+		assert.Contains(t, expectedSubCmd, subCmdName[i])
+	}
+}
+
+func TestPreReceiveCommand_withConfig(t *testing.T) {
+	cmd := createASTTestCommand()
+	workDir, _ := os.Getwd()
+	configFile := filepath.Join(workDir, "config.yaml")
+	_ = os.WriteFile(configFile, []byte(""), 0644)
+	err := executeTestCommand(
+		cmd,
+		"hooks", "pre-receive", "secrets-scan", "--config", "config.yaml",
+	)
+	assert.Nil(t, err)
+}
+
+func TestPreReceiveCommand_withWrongFlagConfig(t *testing.T) {
+	err := execCmdNotNilAssertion(
+		t,
+		"hooks", "pre-receive", "secrets-scan", "--cf", "/path/config.yaml",
+	)
+	assert.NotNil(t, err)
+}
+
+func TestPreReceiveCommand_Licence_success(t *testing.T) {
+	cmd := createASTTestCommand()
+	err := executeTestCommand(
+		cmd,
+		"hooks", "pre-receive", "validate")
+	assert.Nil(t, err)
+}