Chore: [AEA-0000] - use gitleaks for secret scanning#134
Conversation
There was a problem hiding this comment.
Pull request overview
This PR switches the repository’s pre-commit secret scanning from git-secrets to gitleaks, aligning local developer checks with a more modern secrets scanner.
Changes:
- Replace the
git-secretspre-commit hook with agitleakshook. - Remove the
git-secretsallowlist file (.gitallowed).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.pre-commit-config.yaml |
Replaces the secret-scanning hook implementation to invoke gitleaks. |
.gitallowed |
Removes the legacy allowlist file used by git-secrets. |
| name: Git Leaks | ||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" |
There was a problem hiding this comment.
The hook description claims it scans commit messages and --no-ff merges, but this pre-commit config only runs at the pre-commit stage and the command uses --staged. Please update the description (or stages/command) so it accurately reflects what is actually scanned.
| - id: gitleaks | ||
| name: Git Leaks | ||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system |
There was a problem hiding this comment.
This hook uses language: system and relies on a locally installed gitleaks with an unpinned CLI interface. To avoid contributors/CI breaking when gitleaks isn't installed or its subcommands/flags differ by version, prefer using the official pre-commit hook repo (pinning rev) or otherwise ensuring installation/version pinning in the devcontainer/tooling.
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system |
There was a problem hiding this comment.
The gitleaks hook is missing pass_filenames: false and always_run: true. As written, pre-commit will pass filenames to bash -c (unneeded/large argv) and the hook may be skipped on empty commits; secret scanning hooks typically should run regardless of which files changed.
| language: system | |
| language: system | |
| pass_filenames: false | |
| always_run: true |
|
use gitleaks for secret scanning