-
Notifications
You must be signed in to change notification settings - Fork 2
Chore: [AEA-0000] - use gitleaks for secret scanning #502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| 132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | ||
| 132d16f16402991f5cdde88530fa2927048f1acb:dual/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | ||
| 0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | ||
| 0ee865828b30c8332f29e4a8f3c68a0cc3ed1df6:legacy/src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | ||
| 1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:59 | ||
| 1217a5a6672333844236eea830317e55dd29b849:src/test/resources/examples/stepFunctionEvent.json:generic-api-key:64 | ||
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -51,13 +51,13 @@ repos: | |||||||
| pass_filenames: false | ||||||||
| always_run: true | ||||||||
|
|
||||||||
| - id: git-secrets | ||||||||
| name: Git Secrets | ||||||||
| description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||||||||
| - id: gitleaks | ||||||||
| name: Git Leaks | ||||||||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||||||||
| entry: bash | ||||||||
| args: | ||||||||
| - -c | ||||||||
| - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook' | ||||||||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||||||||
| language: system | ||||||||
|
||||||||
| language: system | |
| language: system | |
| pass_filenames: false |
Copilot
AI
Apr 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This hook is configured with language: system, so contributors/CI will use whatever gitleaks happens to be installed locally. Because the CLI flags and default rules can vary by version, this can make pre-commit behavior inconsistent or suddenly break. Consider switching to the official gitleaks pre-commit hook repo with a pinned rev (or otherwise pin/document the required gitleaks version) so runs are reproducible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
.gitleaksignoreentries are pinned to specific commit SHAs and line numbers. This is brittle (any refactor/reformat or file move will invalidate the ignore) and can make it hard to understand what is being suppressed over time. For test/example payloads, prefer replacing token-like values with obvious placeholders, or add a path-based allowlist/ignore rule (via gitleaks config) so the suppression is stable and auditable.