🧑‍💻 Local Security Checks 🛡️

This project uses Husky to automate security and formatting checks before commits and pushes.

✅ Pre-Commit Hook

• Runs Gitleaks to scan for secrets before every commit.

🚀 Pre-Push Hook

• Runs the following before each push:
  • ✅ Prettier to auto-format your code
  • 🧹 ESLint to enforce code quality and catch potential issues
  • 🕵️‍♀️ Gitleaks to scan for hardcoded secrets

---

🔧 Setup Instructions

1. Install Project Dependencies

Make sure your dependencies are up to date:

npm install

---

2. Install Husky (one-time per machine)

This sets up the Git hooks locally.

npm run prepare

---

3. Install ESLint Locally

If it's not already installed, run:

npm install eslint --save-dev

---

4. Install Gitleaks (locally)

Follow instructions based on your OS from the official docs:
➡️ https://github.com/gitleaks/gitleaks#installation \

Common options:

macOS (Homebrew)

brew install gitleaks

Ubuntu / Debian

curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep "browser_download_url.*linux_x64.tar.gz" | cut -d '"' -f 4 | xargs curl -L -o gitleaks.tar.gz && tar -xzf gitleaks.tar.gz gitleaks && chmod +x gitleaks && sudo mv gitleaks /usr/local/bin/

Windows

Download the latest release by running this command in Powershell:

scoop install gitleaks

---

🧪 Verify Installations

You can check that the tools are installed with:

gitleaks --version
npx prettier --version
npx eslint --version

---

✅ You’re All Set!

Now every time you commit or push, these tools will automatically run and help ensure code quality and security.

If anything fails:

• You’ll see the errors in your terminal.
• Secrets or style issues must be resolved before the push succeeds.

---

✨ Pro Tip: If you're switching machines or creating a new branch, repeat steps 1–4 to ensure Husky and dependencies are working correctly.

---

To run these checks locally without committing or pushing:

✅ Prettier – Code Formatter 🧼

npx prettier --config .prettierrc.yml --check .   # Check for formatting issues using the repo's config file
npx prettier --config .prettierrc.yml --write .    # Auto-format your files using the repo's config file

This keeps the codebase clean and consistent.

---

✅ ESLint – Code Linting 🧹

npx eslint .              # Identify code issues
npx eslint . --fix        # Fix fixable ones

Run this before pushing to make sure your code follows project linting rules.

---

✅ Semgrep – Static Analysis ⌨

1. Install Python & pip (if you don’t already have them)

• macOS (Homebrew)

  brew install python
  

• Ubuntu / Debian

  sudo apt update && sudo apt install python3 python3-pip
  

• Windows
  Download & install from python.org, and be sure to check “Add Python to PATH.”

2. Verify pip

   pip --version
   # e.g. pip 23.x.x from /usr/local/lib/python3.x/site-packages/pip (python 3.x)
   

3. Install Semgrep

   pip install semgrep
   

4. Run the same scan we use in CI

    semgrep scan    --config p/default    --config p/owasp-top-ten    --config ./security/semgrep    --exclude supabase/seed.sql    --metrics=off    --error
   

---

✅ Gitleaks – Secret Scanning 🕵️

To avoid committing sensitive info like API keys or tokens:

1. Install Gitleaks

2. Run this in the project root:

   gitleaks detect --source . --redact --config .gitleaks.toml
   

This helps catch secrets before they hit GitHub.

---

🔒 Dependabot 🤖

Dependabot automatically scans for vulnerable dependencies and opens pull requests.

If you want to manually check for issues or outdated packages:

npm audit
npm outdated

---

🟡 CodeQL – Local Static Analysis (OPTIONAL)

Contributors only need to run CodeQL locally if you’re developing custom queries or debugging results. Here’s how:

1. Install the CodeQL CLI

   • Download the appropriate CLI archive for your OS from https://github.com/github/codeql-cli-binaries/releases
   • Unpack it somewhere on your PATH (e.g. ~/tools/codeql or C:\tools\codeql)
   • Verify with:

     codeql version
     # Should print something like "CodeQL version: 2.x.x"
     

2. Initialize a CodeQL database
   From the root of your repo, run:

   codeql database create codeql-db      --language=javascript      --command="npm install && npm run build"
   

codeql-db is the folder that will store the analysis database

The --command should be whatever builds your code (e.g. transpiles TS, bundles, etc.)

3. Run the analysis Once the database is created, execute:

   codeql database analyze codeql-db      javascript-code-scanning.qls      --format=sarif-latest      --output=codeql-results.sarif
   javascript-code-scanning.qls is the built-in query pack for JS/TS
   

codeql-results.sarif is the output you can load into GitHub or VS Code

4. View results

• GitHub: upload the SARIF file in a PR or Actions run

• VS Code: install the CodeQL extension and open codeql-results.sarif

Tip: If you only want to test a single query file, replace javascript-code-scanning.qls with the path to your .ql file.