chore(security): add gitleaks pre-commit hook and CI workflow#3
Merged
Conversation
Blocks AKIA*/ASIA*/AROA*/AIDA* AWS access keys, AWS secret access keys, hf_*/hf_org_* Hugging Face tokens, GOCSPX-* Google OAuth client secrets, and the gitleaks default rule set (GitHub PATs, Slack tokens, private-key blocks, etc.) before they ever land in a commit. Three layers: - .gitleaks.toml — rule set + allowlist (covers MinIO local default `minioadmin`, the AWS docs canonical example `AKIAIOSFODNN7EXAMPLE`, *.env.example placeholders, tests/bench/data/ and graphify-out/). - .pre-commit-config.yaml — runs `gitleaks protect --staged` on every commit; devs install with `pip install pre-commit && pre-commit install`. - .github/workflows/gitleaks.yml — runs on every PR + push to main + weekly cron (Mon 03:17 UTC) for a full-history sweep, uploads SARIF to the Code Scanning tab so findings show up inline in the PR review. Verified locally: - Clean working tree → 0 findings. - Synthetic AKIA + hf_ token → 4 findings (caught by both default and custom rules; matches are redacted in CI output). - `gitleaks protect --staged` against a staged leak returns non-zero exit, so the pre-commit hook actually blocks the commit. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Blocks AKIA*/ASIA*/AROA*/AIDA* AWS access keys, AWS secret access keys, hf_/hf_org_ Hugging Face tokens, GOCSPX-* Google OAuth client secrets, and the gitleaks default rule set (GitHub PATs, Slack tokens, private-key blocks, etc.) before they ever land in a commit.
Three layers:
minioadmin, the AWS docs canonical exampleAKIAIOSFODNN7EXAMPLE, *.env.example placeholders, tests/bench/data/ and graphify-out/).gitleaks protect --stagedon every commit; devs install withpip install pre-commit && pre-commit install.Verified locally:
gitleaks protect --stagedagainst a staged leak returns non-zero exit, so the pre-commit hook actually blocks the commit.