Skip to content

chore: add gitleaks secret scanning (pre-commit hook + CI)#10

Merged
kexi merged 2 commits into
mainfrom
chore/gitleaks-precommit
Jun 7, 2026
Merged

chore: add gitleaks secret scanning (pre-commit hook + CI)#10
kexi merged 2 commits into
mainfrom
chore/gitleaks-precommit

Conversation

@kexi

@kexi kexi commented Jun 7, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add gitleaks secret scanning, following the vibe setup:
    • pre-commit hook via lefthook — gitleaks git --staged runs on every commit so a secret is caught before it lands. lefthook + gitleaks are added to the nix dev shell and the hooks install automatically via the shell's shellHook, so contributors get the guard with no manual step.
    • CI job (gitleaks in ci.yml) — the official action scans full history on push / the PR range on pull_request and posts findings as PR comments. This is the authoritative gate (the hook is bypassable with --no-verify). SHA-pinned with pull-requests: write only at job level.
  • .gitleaks.toml extends the default ruleset and deliberately ships no broad allowlist (which would blind the scanner).

Test plan

  • nix develop installs the lefthook hooks; committing runs gitleaks (verified: a planted private key is detected → commit blocked; clean staged → passes)
  • CI gitleaks job runs and is green on this PR
  • lefthook run pre-commit succeeds locally

kexi and others added 2 commits June 7, 2026 15:56
Wire up gitleaks as a pre-commit tripwire (following the vibe setup): lefthook
runs `gitleaks git --staged` on every commit so a secret is caught before it
lands. Add gitleaks + lefthook to the nix dev shell and install the hooks
automatically via the shell's shellHook, so contributors get the guard without a
manual step. The in-repo .gitleaks.toml extends the default ruleset and
deliberately ships no broad allowlist (which would blind the scanner).

The hook is bypassable with `git commit --no-verify`, so a CI gitleaks job over
full history should remain the authoritative gate.

Co-Authored-By: Claude <noreply@anthropic.com>
Add the authoritative secret-scanning gate the pre-commit hook defers to: the
official gitleaks action scans full git history on push and the PR range on
pull_request, posting findings as PR comments. SHA-pinned (a write-scoped
secret scanner is supply-chain sensitive) with pull-requests:write granted only
at job level. Reads the in-repo .gitleaks.toml via GITLEAKS_CONFIG.

Co-Authored-By: Claude <noreply@anthropic.com>
@kexi kexi merged commit e9d14c0 into main Jun 7, 2026
10 checks passed
@kexi kexi deleted the chore/gitleaks-precommit branch June 7, 2026 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant