Address Copilot review feedback

- Include untracked (newly created) files in diff-scope scan set via
  git ls-files --others --exclude-standard
- Fix staged scope to scan the index version of each file using
  git show :<path> into a temp file, ensuring scan matches what
  will actually be committed
- Add json_escape() helper to escape backslashes and double quotes
  in file paths and redacted values before JSON string concatenation
- Replace echo with printf for grep pipes to handle lines starting
  with -n/-e safely
- Replace em dashes with colons and commas throughout

Author: ShehabSherif0

hooks/secrets-scanner/README.md

@@ -12,12 +12,12 @@ Scans files modified during a GitHub Copilot coding agent session for accidental
 
 AI coding agents generate and modify code rapidly, which increases the risk of hardcoded secrets slipping into the codebase. This hook acts as a safety net by scanning all modified files at session end for 20+ categories of secret patterns, including:
 
-- **Cloud credentials** — AWS access keys, GCP service account keys, Azure client secrets
-- **Platform tokens** — GitHub PATs, npm tokens, Slack tokens, Stripe keys
-- **Private keys** — RSA, EC, OpenSSH, PGP, DSA private key blocks
-- **Connection strings** — Database URIs (PostgreSQL, MongoDB, MySQL, Redis, MSSQL)
-- **Generic secrets** — API keys, passwords, bearer tokens, JWTs
-- **Internal infrastructure** — Private IP addresses with ports
+- **Cloud credentials**: AWS access keys, GCP service account keys, Azure client secrets
+- **Platform tokens**: GitHub PATs, npm tokens, Slack tokens, Stripe keys
+- **Private keys**: RSA, EC, OpenSSH, PGP, DSA private key blocks
+- **Connection strings**: Database URIs (PostgreSQL, MongoDB, MySQL, Redis, MSSQL)
+- **Generic secrets**: API keys, passwords, bearer tokens, JWTs
+- **Internal infrastructure**: Private IP addresses with ports
 
 ## Features
 
@@ -155,7 +155,7 @@ See the full list in `scan-secrets.sh`.
   ----                                     ----   -------                      --------
   lib/auth.py                              45     AWS_ACCESS_KEY               critical
 
-🚫 Session blocked — resolve the findings above before committing.
+🚫 Session blocked: resolve the findings above before committing.
    Set SCAN_MODE=warn to log without blocking, or add patterns to SECRETS_ALLOWLIST.
 ```
 
@@ -175,8 +175,8 @@ Scan events are written to `logs/copilot/secrets/scan.log` in JSON Lines format:
 
 This hook pairs well with the **Session Auto-Commit** hook. When both are installed, order them so that `secrets-scanner` runs first:
 
-1. Secrets scanner runs at `sessionEnd` — catches leaked secrets
-2. Auto-commit runs at `sessionEnd` — only commits if all previous hooks pass
+1. Secrets scanner runs at `sessionEnd`, catches leaked secrets
+2. Auto-commit runs at `sessionEnd`, only commits if all previous hooks pass
 
 Set `SCAN_MODE=block` to prevent auto-commit when secrets are detected.
 
@@ -196,7 +196,7 @@ To temporarily disable the scanner:
 
 ## Limitations
 
-- Pattern-based detection — does not perform entropy analysis or contextual validation
+- Pattern-based detection; does not perform entropy analysis or contextual validation
 - May produce false positives for test fixtures or example code (use the allowlist to suppress these)
-- Scans only text files — binary secrets (keystores, certificates in DER format) are not detected
+- Scans only text files; binary secrets (keystores, certificates in DER format) are not detected
 - Requires `git` to be available in the execution environment

hooks/secrets-scanner/scan-secrets.sh

@@ -20,7 +20,7 @@ fi
 
 # Ensure we are in a git repository
 if ! git rev-parse --is-inside-work-tree &>/dev/null; then
-  echo "⚠️  Not in a git repository — skipping secrets scan"
+  echo "⚠️  Not in a git repository, skipping secrets scan"
   exit 0
 fi
 
@@ -43,6 +43,10 @@ else
   while IFS= read -r f; do
     [[ -n "$f" ]] && FILES+=("$f")
   done < <(git diff --name-only --diff-filter=ACMR HEAD 2>/dev/null || git diff --name-only --diff-filter=ACMR 2>/dev/null)
+  # Also include untracked new files (created during the session, not yet in HEAD)
+  while IFS= read -r f; do
+    [[ -n "$f" ]] && FILES+=("$f")
+  done < <(git ls-files --others --exclude-standard 2>/dev/null)
 fi
 
 if [[ ${#FILES[@]} -eq 0 ]]; then
@@ -69,7 +73,7 @@ is_allowlisted() {
   return 1
 }
 
-# Binary file detection — skip files that are not text
+# Binary file detection: skip files that are not text
 is_text_file() {
   local filepath="$1"
   [[ -f "$filepath" ]] && file --brief --mime-type "$filepath" 2>/dev/null | grep -q "^text/" && return 0
@@ -135,16 +139,24 @@ PATTERNS=(
   "INTERNAL_IP_PORT|medium|\b(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}):\d{2,5}\b"
 )
 
+# Escape a string value for safe embedding in a JSON string literal
+json_escape() {
+  printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'
+}
+
 # Store findings as tab-separated records
 FINDINGS=()
 
 scan_file() {
   local filepath="$1"
+  # read_path: the actual file to scan; defaults to filepath (working tree)
+  # When SCOPE=staged, callers pass a temp file with the staged content instead
+  local read_path="${2:-$1}"
 
-  # Skip if file does not exist (e.g., deleted)
-  [[ -f "$filepath" ]] || return 0
+  # Skip if source does not exist (e.g., deleted)
+  [[ -f "$read_path" ]] || return 0
 
-  # Skip binary files
+  # Skip binary files (type detection uses the original path for MIME lookup)
   if ! is_text_file "$filepath"; then
     return 0
   fi
@@ -162,22 +174,22 @@ scan_file() {
     for entry in "${PATTERNS[@]}"; do
       IFS='|' read -r pattern_name severity regex <<< "$entry"
 
-      if echo "$line" | grep -qE "$regex" 2>/dev/null; then
+      if printf '%s\n' "$line" | grep -qE "$regex" 2>/dev/null; then
         # Extract the matched fragment (redacted for logging)
         local match
-        match=$(echo "$line" | grep -oE "$regex" 2>/dev/null | head -1)
+        match=$(printf '%s\n' "$line" | grep -oE "$regex" 2>/dev/null | head -1)
 
         # Check allowlist
         if [[ ${#ALLOWLIST[@]} -gt 0 ]] && is_allowlisted "$match"; then
           continue
         fi
 
         # Skip if this looks like a placeholder or example
-        if echo "$match" | grep -qiE '(example|placeholder|your[_-]|xxx|changeme|TODO|FIXME|replace[_-]?me|dummy|fake|test[_-]?key|sample)'; then
+        if printf '%s\n' "$match" | grep -qiE '(example|placeholder|your[_-]|xxx|changeme|TODO|FIXME|replace[_-]?me|dummy|fake|test[_-]?key|sample)'; then
           continue
         fi
 
-        # Redact the match for safe logging — show first 4 and last 4 chars
+        # Redact the match for safe logging: show first 4 and last 4 chars
         local redacted
         if [[ ${#match} -le 12 ]]; then
           redacted="[REDACTED]"
@@ -189,13 +201,21 @@ scan_file() {
         FINDING_COUNT=$((FINDING_COUNT + 1))
       fi
     done
-  done < "$filepath"
+  done < "$read_path"
 }
 
 echo "🔍 Scanning ${#FILES[@]} modified file(s) for secrets..."
 
 for filepath in "${FILES[@]}"; do
-  scan_file "$filepath"
+  if [[ "$SCOPE" == "staged" ]]; then
+    # Scan the staged (index) version to match what will actually be committed
+    _tmpfile=$(mktemp)
+    git show :"$filepath" > "$_tmpfile" 2>/dev/null || true
+    scan_file "$filepath" "$_tmpfile"
+    rm -f "$_tmpfile"
+  else
+    scan_file "$filepath"
+  fi
 done
 
 # Log results
@@ -219,8 +239,8 @@ if [[ $FINDING_COUNT -gt 0 ]]; then
     fi
     FIRST=false
 
-    # Build JSON safely without requiring jq
-    FINDINGS_JSON+="{\"file\":\"$fpath\",\"line\":$fline,\"pattern\":\"$pname\",\"severity\":\"$psev\",\"match\":\"$redacted\"}"
+    # Build JSON safely without requiring jq; escape path and match values
+    FINDINGS_JSON+="{\"file\":\"$(json_escape "$fpath")\",\"line\":$fline,\"pattern\":\"$pname\",\"severity\":\"$psev\",\"match\":\"$(json_escape "$redacted")\"}"
   done
   FINDINGS_JSON+="]"
 
@@ -231,8 +251,8 @@ if [[ $FINDING_COUNT -gt 0 ]]; then
     "$TIMESTAMP" "$MODE" "$SCOPE" "${#FILES[@]}" "$FINDING_COUNT" "$FINDINGS_JSON" >> "$LOG_FILE"
 
   if [[ "$MODE" == "block" ]]; then
-    echo "🚫 Session blocked — resolve the findings above before committing."
-    echo "   Set SCAN_MODE=warn to log without blocking, or add patterns to SECRETS_ALLOWLIST."
+    echo "🚫 Session blocked: resolve the findings above before committing."
+    echo "   Set SCAN_MODE=warn to log without blocking, or add patterns to SECRETS_ALLOWLIST."}
     exit 1
   else
     echo "💡 Review the findings above. Set SCAN_MODE=block to prevent commits with secrets."