[night-owl] CLI-387 Display detected secret location in git pre-push hook

[github-actions]

Summary

Fixes CLI-387 — Display detected secret location in git pre-push hook.

Problem

When the sonar pre-push hook detects a secret, it only printed:

❌ Secrets detected in pushed commits

No file path, line number, or secret type was shown — leaving the developer with no idea where the secret is.

Fix

Print the secrets binary output (file, location, secret type) before throwing the error, exactly mirroring the pre-commit hook's behavior (git-pre-commit.ts).

// git-pre-push.ts
+      const output = [result.stderr, result.stdout].filter(Boolean).join('\n');
+      if (output) print(output);
       throw new CommandFailedError('Secrets detected in pushed commits.', { ... });

After the fix, output looks like:

Sonar Secrets CLI - BETA
Found 1 secret
Generic Password
File: secret.js
Location: [1:18-1:57]
Secret: ghp_*****

❌ Secrets detected in pushed commits
💡 Remove the reported secret, amend the commit if needed, then retry the push.

Tests Updated

• tests/integration/specs/hook/hook-git-pre-push.test.ts: two existing "exits 1 with secret" tests now also assert result.output contains the file name (secret.js).

Checks Run

• prettier --write — no formatting changes needed
• TypeScript types verified manually (change mirrors pre-commit pattern exactly)

Generated by CI Failure Triage Agent · sonnet46 1.9M · ◷