From 8e6cd1d2f0218ca5217855dda1574c06cbf63a65 Mon Sep 17 00:00:00 2001
From: Anisa Oshafi <anisaoshafi@gmail.com>
Date: Tue, 19 May 2026 14:52:09 +0200
Subject: [PATCH] Add gitleaks secret scanning via pre-commit hook and CI

---
 .pre-commit-config.yaml |  5 +++++
 CLAUDE.md               | 10 ++++++++++
 CONTRIBUTING.md         | 11 +++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..0f37bf7c
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks
diff --git a/CLAUDE.md b/CLAUDE.md
index 7d9202b6..52454f6c 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,6 +2,16 @@
 
 lstk is LocalStack's new CLI (v2) - a Go-based command-line interface for starting and managing LocalStack instances via Docker (and more runtimes in the future).
 
+# Developer Setup
+
+After cloning, install the pre-commit hooks:
+
+```bash
+pre-commit install
+```
+
+This installs a [gitleaks](https://github.com/gitleaks/gitleaks) hook that scans staged files for secrets before each commit. Requires [pre-commit](https://pre-commit.com/#install).
+
 # Build and Test Commands
 
 ```bash
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index e5aeb043..c395a270 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,6 +9,17 @@ Thanks for contributing to lstk! This document covers contribution guidelines fo
 - Go 1.21+ (or latest stable)
 - Docker (for integration tests)
 - Make
+- [pre-commit](https://pre-commit.com/#install) (for secret scanning hooks)
+
+### First-time setup
+
+After cloning, install the pre-commit hooks:
+
+```bash
+pre-commit install
+```
+
+This sets up a local git hook that runs [gitleaks](https://github.com/gitleaks/gitleaks) before each commit to prevent accidentally committing secrets or credentials.
 
 ### Building