Lab 3: configure SSH commit signing and implement a local pre-commit hook

[blxxdclxud]

Goal

Complete Lab 3 tasks: configure SSH commit signing and implement a local pre-commit hook that blocks commits containing secrets.

Changes

• labs/submission3.md — Lab 3 submission documenting:
  • SSH key generation, git signing config (gpg.format=ssh, commit.gpgSign=true), and analysis of why commit signing matters in DevSecOps supply chain context
  • Pre-commit hook setup, real test output showing Gitleaks blocking a commit with a fake RSA private key, and clean commit passing through
• .git/hooks/pre-commit — Hook script (from lab spec) that:
  • Collects staged files, separates lectures/ from everything else
  • Runs TruffleHog (Docker) on non-lectures files for verified/unverified credential detection
  • Runs Gitleaks (Docker) per-file for pattern-based secret detection
  • Blocks commit on any secret found outside lectures/; allows with warning if only in lectures/ (educational content)

Testing

• Local testing performed
• Verified hook blocks commit when a fake RSA private key is staged (Gitleaks: WRN leaks found: 1, exit 1)
• Verified hook passes on a clean staged file (both scanners: exit 0)
• Verified submission3.md itself passes the hook scan before committing

Artifacts & Screenshots

Blocked commit output (Gitleaks catches fake RSA key):

[pre-commit] Scanning test_fake_key.txt with Gitleaks...
RuleID:      private-key
Entropy:     4.867224
1:27PM WRN leaks found: 1
✖ COMMIT BLOCKED: Secrets detected in non-excluded files.

Clean commit output:

[pre-commit] ✓ TruffleHog found no secrets in non-lectures files
[pre-commit] No secrets found in clean_test.txt
✓ No secrets detected in non-excluded files; proceeding with commit.

---

Checklist

• Task 1 done — SSH commit signing setup
• Task 2 done — Pre-commit secrets scanning setup