From 6d9059e54c091f4f17d3e21c78748cef8c35a713 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Fri, 17 Apr 2026 09:52:39 +0000
Subject: [PATCH] add gitleaks

---
 .gitallowed             | 37 -------------------------------------
 .gitleaksignore         |  6 ++++++
 .pre-commit-config.yaml |  8 ++++----
 3 files changed, 10 insertions(+), 41 deletions(-)
 delete mode 100644 .gitallowed
 create mode 100644 .gitleaksignore

diff --git a/.gitallowed b/.gitallowed
deleted file mode 100644
index d432024e..00000000
--- a/.gitallowed
+++ /dev/null
@@ -1,37 +0,0 @@
-# Allow GitHub workflow secrets and tokens
-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
-github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
-token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
-id-token: write
---token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
---token=\$GITHUB-TOKEN
-
-# Allow CIDR blocks in CloudFormation templates and related files
-CidrBlock: "10\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2}"
-DestinationCidrBlock: "0\.0\.0\.0/0"
-CidrIp: 127\.0\.0\.1/32
-CidrIp: 0\.0\.0\.0/0
-
-# Java corretto is not a secret
-.*java corretto.*
-
-# Allow standard code in JSON files for FHIR compliance testing
-"code": "1\.2\.840\.10065\.1\.12\.1\.1"
-
-# Allow IP in X-Forwarded-For header in test files
-.*\"X-Forwarded-For\": \"86\.5\.218\.71\".*
-
-# Allow version for AspectJ in pom.xml
-<aspectj\.version>1\.9\.22\.1</aspectj\.version>
-
-^.*pom\.xml:.*<version>([^<]+)</version>.*$
-^.*Gemfile\.lock:.*$
-^.*\.java:.*\\"id\\":\\"([0-9a-f\-]+)\\".*$
-
-# General ones
-.*\.gitallowed.*
-.*nhsd-rules-deny.txt.*
-.*\.venv.*
-.*node_modules.*
-pom\.xml
-poetry\.lock
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 00000000..b62a0ee0
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,6 @@
+132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59
+132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64
+0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59
+0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64
+1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59
+1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index fd166300..4f4e6c5a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -51,13 +51,13 @@ repos:
         pass_filenames: false
         always_run: true
 
-      - id: git-secrets
-        name: Git Secrets
-        description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+      - id: gitleaks
+        name: Git Leaks
+        description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
         entry: bash
         args:
           - -c
-          - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
+          - "gitleaks git --pre-commit --redact --staged --verbose"
         language: system
 fail_fast: true
 default_stages: [pre-commit]