Chore: [AEA-0000] - use gitleaks for secret scanning#502
Conversation
There was a problem hiding this comment.
Pull request overview
This PR replaces the existing pre-commit secret scanning hook with gitleaks, aiming to enforce secret detection during local development and reduce the chance of committing credentials.
Changes:
- Swap the pre-commit hook from
git-secretstogitleaks. - Add a
.gitleaksignorefile to suppress known findings. - Remove the
.gitallowedallowlist file previously used bygit-secrets.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.pre-commit-config.yaml |
Replaces the local secret-scanning hook command to run gitleaks during pre-commit. |
.gitleaksignore |
Adds ignore entries intended to suppress existing/known secret findings. |
.gitallowed |
Removes the git-secrets allowlist file (now unused after switching scanners). |
| - -c | ||
| - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system |
There was a problem hiding this comment.
pass_filenames is not disabled for this hook, so pre-commit will append the list of staged files to the bash -c ... invocation. Since the command already uses --staged and doesn’t consume filenames, this adds unnecessary args and can hit command-line length limits on large commits. Set pass_filenames: false (and, if you want it to run even when no files match, also consider always_run: true).
| language: system | |
| language: system | |
| pass_filenames: false |
| 132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | ||
| 132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | ||
| 0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | ||
| 0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | ||
| 1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | ||
| 1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 |
There was a problem hiding this comment.
The .gitleaksignore entries are pinned to specific commit SHAs and line numbers. This is brittle (any refactor/reformat or file move will invalidate the ignore) and can make it hard to understand what is being suppressed over time. For test/example payloads, prefer replacing token-like values with obvious placeholders, or add a path-based allowlist/ignore rule (via gitleaks config) so the suppression is stable and auditable.
| 132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | |
| 132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | |
| 0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | |
| 0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | |
| 1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | |
| 1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 |
| - id: gitleaks | ||
| name: Git Leaks | ||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system |
There was a problem hiding this comment.
This hook is configured with language: system, so contributors/CI will use whatever gitleaks happens to be installed locally. Because the CLI flags and default rules can vary by version, this can make pre-commit behavior inconsistent or suddenly break. Consider switching to the official gitleaks pre-commit hook repo with a pinned rev (or otherwise pin/document the required gitleaks version) so runs are reproducible.
|
use gitleaks for secret scanning