From 551ad8f0cad65102c4e9187054145545053c22eb Mon Sep 17 00:00:00 2001
From: Martin Stransky <stranma5@gmail.com>
Date: Fri, 13 Mar 2026 03:30:10 -0700
Subject: [PATCH] fix: add -- to grep in output-secrets-scanner private key
 check

The pattern '-----BEGIN ...' starts with dashes, which grep interprets
as option flags. Adding '--' before the pattern signals end of options.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .claude/hooks/output-secrets-scanner.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.claude/hooks/output-secrets-scanner.sh b/.claude/hooks/output-secrets-scanner.sh
index d754ff3..14adb7e 100755
--- a/.claude/hooks/output-secrets-scanner.sh
+++ b/.claude/hooks/output-secrets-scanner.sh
@@ -63,7 +63,7 @@ if echo "$OUTPUT" | grep -qE 'eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-
 fi
 
 # Private Key markers
-if echo "$OUTPUT" | grep -qE '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'; then
+if echo "$OUTPUT" | grep -qE -- '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'; then
     WARNINGS="${WARNINGS}[!] Private key material detected in output.\n"
 fi