Skip to content

chore(security): add gitleaks pre-commit hook and CI workflow#3

Merged
as791 merged 1 commit into
mainfrom
chore/gitleaks-secret-scanning
Jun 16, 2026
Merged

chore(security): add gitleaks pre-commit hook and CI workflow#3
as791 merged 1 commit into
mainfrom
chore/gitleaks-secret-scanning

Conversation

@as791

@as791 as791 commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Blocks AKIA*/ASIA*/AROA*/AIDA* AWS access keys, AWS secret access keys, hf_/hf_org_ Hugging Face tokens, GOCSPX-* Google OAuth client secrets, and the gitleaks default rule set (GitHub PATs, Slack tokens, private-key blocks, etc.) before they ever land in a commit.

Three layers:

  • .gitleaks.toml — rule set + allowlist (covers MinIO local default minioadmin, the AWS docs canonical example AKIAIOSFODNN7EXAMPLE, *.env.example placeholders, tests/bench/data/ and graphify-out/).
  • .pre-commit-config.yaml — runs gitleaks protect --staged on every commit; devs install with pip install pre-commit && pre-commit install.
  • .github/workflows/gitleaks.yml — runs on every PR + push to main + weekly cron (Mon 03:17 UTC) for a full-history sweep, uploads SARIF to the Code Scanning tab so findings show up inline in the PR review.

Verified locally:

  • Clean working tree → 0 findings.
  • Synthetic AKIA + hf_ token → 4 findings (caught by both default and custom rules; matches are redacted in CI output).
  • gitleaks protect --staged against a staged leak returns non-zero exit, so the pre-commit hook actually blocks the commit.

Blocks AKIA*/ASIA*/AROA*/AIDA* AWS access keys, AWS secret access
keys, hf_*/hf_org_* Hugging Face tokens, GOCSPX-* Google OAuth client
secrets, and the gitleaks default rule set (GitHub PATs, Slack tokens,
private-key blocks, etc.) before they ever land in a commit.

Three layers:
- .gitleaks.toml — rule set + allowlist (covers MinIO local default
  `minioadmin`, the AWS docs canonical example `AKIAIOSFODNN7EXAMPLE`,
  *.env.example placeholders, tests/bench/data/ and graphify-out/).
- .pre-commit-config.yaml — runs `gitleaks protect --staged` on every
  commit; devs install with `pip install pre-commit && pre-commit install`.
- .github/workflows/gitleaks.yml — runs on every PR + push to main +
  weekly cron (Mon 03:17 UTC) for a full-history sweep, uploads SARIF
  to the Code Scanning tab so findings show up inline in the PR review.

Verified locally:
- Clean working tree → 0 findings.
- Synthetic AKIA + hf_ token → 4 findings (caught by both default and
  custom rules; matches are redacted in CI output).
- `gitleaks protect --staged` against a staged leak returns non-zero
  exit, so the pre-commit hook actually blocks the commit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@as791 as791 merged commit daa4c0a into main Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant