CLI-173 add E2E test for pre-commit hook

Author: sophio-japharidze-sonarsource

tests/integration/harness/cli-runner.ts

@@ -26,7 +26,7 @@ import type { CliResult } from './types.js';
 
 const PROJECT_ROOT = join(import.meta.dir, '../../..');
 const DEFAULT_BINARY = join(PROJECT_ROOT, 'dist', 'sonarqube-cli');
-const BINARY_PATH = process.env.SONAR_CLI_BINARY ?? DEFAULT_BINARY;
+export const BINARY_PATH = process.env.SONAR_CLI_BINARY ?? DEFAULT_BINARY;
 const DEFAULT_TIMEOUT_MS = 30000;
 
 export function assertBinaryExists(): void {

tests/integration/harness/index.ts

@@ -123,7 +123,8 @@ export class TestHarness {
    * Runs the CLI binary with the given command string.
    *
    * Before spawning, applies the configured environment (writes state.json + copies binary).
-   * Automatically injects SONAR_CLI_DISABLE_KEYCHAIN=true.
+   * Sets SONAR_CLI_KEYCHAIN_FILE so the CLI uses the file-based keychain where the harness
+   * has written tokens (via withKeychainToken()); avoids touching the system keychain.
    */
   async run(command: string, options?: RunOptions): Promise<CliResult> {
     // Apply environment to tempDir before each run

tests/integration/specs/integrate/git.test.ts

@@ -21,9 +21,78 @@
 // Integration tests for `sonar integrate git`
 
 import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
-import { mkdirSync, writeFileSync } from 'node:fs';
+import { mkdirSync, symlinkSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { TestHarness } from '../../harness';
+import { BINARY_PATH } from '../../harness/cli-runner.js';
+
+const PATH_DELIM = process.platform === 'win32' ? ';' : ':';
+function pathWithoutNodeModules(envPath: string | undefined): string {
+  return (envPath ?? '')
+    .split(PATH_DELIM)
+    .filter((p) => !p.includes('node_modules'))
+    .join(PATH_DELIM);
+}
+
+// Hardcoded test token — intentional fixture for secret detection in pre-commit hook test
+// sonar-ignore-next-line S6769
+const GITHUB_TEST_TOKEN = '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';
+
+function buildHookEnv(harness: TestHarness, sonarBinDir: string): Record<string, string> {
+  return {
+    ...process.env,
+    HOME: harness.userHome.path,
+    SONAR_CLI_KEYCHAIN_FILE: harness.keychainJsonFile.path,
+    PATH: `${sonarBinDir}${PATH_DELIM}${pathWithoutNodeModules(process.env.PATH)}`,
+  };
+}
+
+function setupSonarBinDir(harness: TestHarness): {
+  sonarBinDir: string;
+  hookEnv: Record<string, string>;
+} {
+  const sonarBinDir = join(harness.cwd.path, 'sonar-bin');
+  mkdirSync(sonarBinDir, { recursive: true });
+  symlinkSync(BINARY_PATH, join(sonarBinDir, 'sonar'));
+  return { sonarBinDir, hookEnv: buildHookEnv(harness, sonarBinDir) };
+}
+
+function setupGitUser(cwd: string): void {
+  Bun.spawnSync(['git', 'config', 'user.email', 'test@example.com'], { cwd });
+  Bun.spawnSync(['git', 'config', 'user.name', 'Test User'], { cwd });
+}
+
+function addBareRemote(cwd: string): void {
+  const remotePath = join(cwd, '..', 'remote.git');
+  mkdirSync(remotePath, { recursive: true });
+  Bun.spawnSync(['git', 'init', '--bare'], { cwd: remotePath });
+  Bun.spawnSync(['git', 'remote', 'add', 'origin', remotePath], { cwd });
+  Bun.spawnSync(['git', 'branch', '-M', 'main'], { cwd });
+}
+
+function gitCommit(
+  cwd: string,
+  env: Record<string, string>,
+  message: string,
+): ReturnType<typeof Bun.spawnSync> {
+  return Bun.spawnSync(['git', 'commit', '-m', message], {
+    cwd,
+    env,
+    stdout: 'pipe',
+    stderr: 'pipe',
+  });
+}
+
+function gitPush(
+  cwd: string,
+  env: Record<string, string>,
+  setUpstream: boolean,
+): ReturnType<typeof Bun.spawnSync> {
+  const args = setUpstream
+    ? ['git', 'push', '-u', 'origin', 'main']
+    : ['git', 'push', 'origin', 'main'];
+  return Bun.spawnSync(args, { cwd, env, stdout: 'pipe', stderr: 'pipe' });
+}
 
 describe('integrate git (native hooks)', () => {
   let harness: TestHarness;
@@ -88,24 +157,72 @@ describe('integrate git (native hooks)', () => {
   );
 
   it(
-    'installs pre-commit hook when user selects pre-commit (--non-interactive)',
+    'pre-commit hook blocks commit when staged file contains a secret',
     async () => {
       const server = await harness.newFakeServer().withAuthToken('test-token').start();
       harness
         .state()
         .withActiveConnection(server.baseUrl())
-        .withKeychainToken(server.baseUrl(), 'test-token');
-
-      // Minimal git repo
-      harness.cwd.writeFile('.git/.keep', '');
+        .withKeychainToken(server.baseUrl(), 'test-token')
+        .withSecretsBinaryInstalled();
 
-      // Fake binaries server so that ensureSonarSecrets() can download sonar-secrets
-      await harness.newFakeBinariesServer().start();
+      mkdirSync(harness.cwd.path, { recursive: true });
+      Bun.spawnSync(['git', 'init'], { cwd: harness.cwd.path });
 
       const result = await harness.run('integrate git --hook pre-commit --non-interactive');
-
       expect(result.exitCode).toBe(0);
       expect(harness.cwd.exists('.git', 'hooks', 'pre-commit')).toBe(true);
+
+      const { hookEnv } = setupSonarBinDir(harness);
+      harness.cwd.writeFile('secret.js', `const token = "${GITHUB_TEST_TOKEN}";`);
+      Bun.spawnSync(['git', 'add', 'secret.js'], { cwd: harness.cwd.path });
+      setupGitUser(harness.cwd.path);
+
+      const commit = gitCommit(harness.cwd.path, hookEnv, 'wip');
+      expect(commit.exitCode).not.toBe(0);
+      const output = (commit.stdout?.toString() ?? '') + (commit.stderr?.toString() ?? '');
+      expect(output).toContain('Secrets found');
+    },
+    { timeout: 30000 },
+  );
+
+  it(
+    'pre-push hook blocks push when commit contains a secret',
+    async () => {
+      const server = await harness.newFakeServer().withAuthToken('test-token').start();
+      harness
+        .state()
+        .withActiveConnection(server.baseUrl())
+        .withKeychainToken(server.baseUrl(), 'test-token')
+        .withSecretsBinaryInstalled();
+
+      mkdirSync(harness.cwd.path, { recursive: true });
+      Bun.spawnSync(['git', 'init'], { cwd: harness.cwd.path });
+
+      const result = await harness.run('integrate git --hook pre-push --non-interactive');
+      expect(result.exitCode).toBe(0);
+      expect(harness.cwd.exists('.git', 'hooks', 'pre-push')).toBe(true);
+
+      const { hookEnv } = setupSonarBinDir(harness);
+      setupGitUser(harness.cwd.path);
+
+      // First commit + push: clean file, should succeed
+      harness.cwd.writeFile('clean.js', 'const x = 1;\n');
+      Bun.spawnSync(['git', 'add', 'clean.js'], { cwd: harness.cwd.path });
+      gitCommit(harness.cwd.path, hookEnv, 'initial');
+      addBareRemote(harness.cwd.path);
+      const firstPush = gitPush(harness.cwd.path, hookEnv, true);
+      expect(firstPush.exitCode).toBe(0);
+
+      // Second commit + push: file with secret, should be blocked by pre-push hook
+      harness.cwd.writeFile('secret.js', `const token = "${GITHUB_TEST_TOKEN}";`);
+      Bun.spawnSync(['git', 'add', 'secret.js'], { cwd: harness.cwd.path });
+      gitCommit(harness.cwd.path, hookEnv, 'wip');
+      const secondPush = gitPush(harness.cwd.path, hookEnv, false);
+
+      expect(secondPush.exitCode).not.toBe(0);
+      const output = (secondPush.stdout?.toString() ?? '') + (secondPush.stderr?.toString() ?? '');
+      expect(output).toContain('Secrets found');
     },
     { timeout: 30000 },
   );

tests/unit/integrate-git.test.ts

@@ -628,14 +628,11 @@ describe('integrateGitGlobal', () => {
     performSecretInstallSpy.mockRestore();
   });
 
-  it('returns without throwing when the user cancels the global install confirmation', () => {
-    setMockUi(true);
+  it('throws CommandFailedError when the user cancels the global install confirmation', () => {
     queueMockResponse(null);
-    try {
-      expect(resolveHookType({})).rejects.toThrow('Installation cancelled');
-    } finally {
-      setMockUi(false);
-    }
+    expect(
+      integrateGit({ global: true, nonInteractive: false, hook: 'pre-commit' }),
+    ).rejects.toThrow('Installation cancelled');
   });
 
   it('propagates the error when secrets installation fails after the user confirms', () => {