chore: add gitleaks secret scanning (pre-commit hook + CI)#10
Merged
Conversation
Wire up gitleaks as a pre-commit tripwire (following the vibe setup): lefthook runs `gitleaks git --staged` on every commit so a secret is caught before it lands. Add gitleaks + lefthook to the nix dev shell and install the hooks automatically via the shell's shellHook, so contributors get the guard without a manual step. The in-repo .gitleaks.toml extends the default ruleset and deliberately ships no broad allowlist (which would blind the scanner). The hook is bypassable with `git commit --no-verify`, so a CI gitleaks job over full history should remain the authoritative gate. Co-Authored-By: Claude <noreply@anthropic.com>
Add the authoritative secret-scanning gate the pre-commit hook defers to: the official gitleaks action scans full git history on push and the PR range on pull_request, posting findings as PR comments. SHA-pinned (a write-scoped secret scanner is supply-chain sensitive) with pull-requests:write granted only at job level. Reads the in-repo .gitleaks.toml via GITLEAKS_CONFIG. Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gitleaks git --stagedruns on every commit so a secret is caught before it lands. lefthook + gitleaks are added to the nix dev shell and the hooks install automatically via the shell'sshellHook, so contributors get the guard with no manual step.gitleaksin ci.yml) — the official action scans full history on push / the PR range on pull_request and posts findings as PR comments. This is the authoritative gate (the hook is bypassable with--no-verify). SHA-pinned withpull-requests: writeonly at job level..gitleaks.tomlextends the default ruleset and deliberately ships no broad allowlist (which would blind the scanner).Test plan
nix developinstalls the lefthook hooks; committing runs gitleaks (verified: a planted private key is detected → commit blocked; clean staged → passes)gitleaksjob runs and is green on this PRlefthook run pre-commitsucceeds locally