#!/bin/bash

# EnvVar Shamer - Pre-commit Hook
# Detects common secret patterns in staged files
# Usage: Save as .git/hooks/pre-commit and make executable

PATTERNS=(
    "API_KEY"
    "SECRET_KEY"
    "PASSWORD"
    "TOKEN"
    "PRIVATE_KEY"
    "AWS_ACCESS_KEY"
    "DATABASE_URL"
)

SHAME_MESSAGES=(
    "🚨 LOOK AT THIS CLOWN committing secrets to GitHub!"
    "🤡 Found your API key! Preparing public humiliation..."
    "💀 BROKE: Committing secrets | WOKE: Using EnvVar Shamer"
    "📢 ATTENTION: This developer hates security!"
    "🔓 Found leaked credentials! Your shame is now public."
)

shame_developer() {
    local message="${SHAME_MESSAGES[$RANDOM % ${#SHAME_MESSAGES[@]}]}"
    echo "\n$(tput setaf 1)╔══════════════════════════════════════════════════════════╗$(tput sgr0)"
    echo "$(tput setaf 1)║                                                            ║$(tput sgr0)"
    echo "$(tput setaf 1)║  $message  ║$(tput sgr0)"
    echo "$(tput setaf 1)║  File: $1 Line $2: $3  ║$(tput sgr0)"
    echo "$(tput setaf 1)║                                                            ║$(tput sgr0)"
    echo "$(tput setaf 1)╚══════════════════════════════════════════════════════════╝$(tput sgr0)\n"
    
    # Optional: Send to Slack/Teams webhook for extra shame
    # curl -X POST -H 'Content-type: application/json' \
    # --data '{"text":"'"$message"' - File: $1"}' \
    # YOUR_WEBHOOK_URL
}

check_staged_files() {
    git diff --cached --name-only | while read file; do
        if [ -f "$file" ]; then
            for pattern in "${PATTERNS[@]}"; do
                git diff --cached "$file" | grep -n -i "$pattern" | while read line; do
                    shame_developer "$file" "$(echo $line | cut -d: -f1)" "$(echo $line | cut -d: -f2-)"
                done
            done
        fi
    done
}

# Main execution
check_staged_files

# Exit with error if any secrets found
exit 1

The Problem: Your Codebase Is Leakier Than a Sieve

Let's be honest—environment variables are the digital equivalent of that junk drawer in your kitchen. You throw everything in there: API keys, database passwords, third-party tokens, that one weird credential from a service you signed up for in 2018 and promptly forgot about. And just like that junk drawer, occasionally something important falls out and embarrasses you in front of company.

The traditional approach to this problem involves pre-commit hooks that silently reject your commit. It's like having a polite butler whisper, "Pardon me, sir, but you appear to have left your production database credentials in this file." Nice, but forgettable. You'll just bypass it with --no-verify and tell yourself you'll clean it up later (you won't).

What we need isn't more polite suggestions—we need public shaming. The kind of social pressure that makes you triple-check your code before hitting enter. The kind that makes your teammates mock you mercilessly in Slack. The kind that plays a sad trombone sound when you try to commit your AWS credentials for the third time this week.

The Solution: Public Humiliation as a Service

I built EnvVar Shamer because sometimes the stick works better than the carrot. Instead of quietly preventing you from making mistakes, it makes those mistakes so embarrassing that you'll never make them again.

Here's how it works: when you try to commit code, EnvVar Shamer scans your staged files for patterns that look like secrets—API keys (those lovely 32-character hexadecimal strings), passwords, tokens, and other digital valuables you really shouldn't be sharing with the world. If it finds something suspicious, it doesn't just stop you. Oh no. That would be too easy.

Instead, it generates alternative commit messages that range from mildly embarrassing to career-limiting. It can optionally post mock security breach notifications to your team's chat. It can even play shame sound effects. The goal isn't to be mean—it's to create the kind of memorable learning experience that actually changes behavior.

How to Use It (Prepare for Humiliation)

Installation is straightforward, much like setting up your own public stocks in the town square:

# Clone the repository
$ git clone https://github.com/BoopyCode/env-var-shamer-1768169873

# Install dependencies
$ npm install

# Set up the git hook
$ ./setup-hook.sh

Once installed, try committing something you shouldn't:

$ git add config.js  # Contains: API_KEY="sk_live_1234567890abcdef"
$ git commit -m "Update config"

Instead of your boring commit message, you might get:

🚨 SECURITY BREACH ATTEMPT 🚨
User: you@company.com
Attempted to commit: Stripe live secret key
Suggested commit message: "Giving away company money for free"

Commit blocked. Your shame has been logged.

Check out the full source code on GitHub to see how the detection logic works. Here's a snippet from the main detection module:

// From detector.js - the heart of the shame
const SECRET_PATTERNS = [
  /[A-Za-z0-9]{32}/,                    // Generic API keys
  /sk_live_[A-Za-z0-9]{24}/,            // Stripe live keys
  /AKIA[0-9A-Z]{16}/,                   // AWS access keys
  /[A-Za-z0-9\-_]{40}/,                 // GitHub tokens
  /password\s*[:=]\s*['"][^'"]+['"]/i  // Plaintext passwords
];

function detectSecrets(content) {
  const violations = [];
  SECRET_PATTERNS.forEach((pattern, index) => {
    if (pattern.test(content)) {
      violations.push(SECRET_TYPES[index]);
    }
  });
  return violations;
}

Key Features (Your Shame Checklist)

• Detects common secret patterns: API keys, passwords, tokens, and other digital valuables in staged files. It's like a bloodhound for your security mistakes.
• Generates humiliating alternative commit messages: Instead of "Fixed bug," you get "Committed company bankruptcy to version control."
• Optionally posts mock 'security breach' notifications: Configure it to announce your failures in Slack, Teams, or whatever chat app your team uses to judge you.
• Can be configured to play shame sound effects: The sad trombone, the Price Is Right losing horn, or a custom audio file of your choice.
• Customizable shame levels: From "gentle reminder" to "career-ending public spectacle."
• Team leaderboard: Optional feature to track who's most likely to get the company hacked (great for sprint retrospectives!).

Conclusion: Embrace the Shame

EnvVar Shamer isn't just another pre-commit hook—it's a behavioral modification tool disguised as a developer utility. By making security failures socially costly, it creates the kind of institutional memory that actually prevents breaches. Plus, it's way more fun than reading another boring security policy document.

The truth is, we all make mistakes. The difference between junior and senior developers isn't that seniors don't make errors—it's that seniors have been publicly shamed enough times to develop good habits. EnvVar Shamer just accelerates that process.

So go ahead—try it out. Install it on your team's repositories. Configure it to post to your team channel. Set the shame sound to something truly embarrassing. Your future self (and your company's security team) will thank you.

Remember: it's not public humiliation if it prevents a data breach. It's just... aggressive mentoring.