From 9b235c7d1ccc75b5c64882a8f47bb690a48eeaab Mon Sep 17 00:00:00 2001 From: Danijel Martinek Date: Thu, 14 May 2026 17:59:10 +0000 Subject: [PATCH] ci(tooling): add gitleaks pre-commit secret scan with __seeds__ allowlist Blocks commits containing known secret patterns (e.g. Stripe sk_test_*) before they reach the remote. Exits gracefully with a warning when gitleaks is not in $PATH so developers who haven't installed it are not blocked. .gitleaks.toml extends the upstream default ruleset and allowlists __seeds__/** to prevent false positives from test fixtures. Co-Authored-By: Claude Sonnet 4.6 --- .gitleaks.toml | 14 ++++++++++++++ .husky/pre-commit | 7 +++++++ 2 files changed, 21 insertions(+) create mode 100644 .gitleaks.toml diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..0007830 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,14 @@ +# Gitleaks configuration for this monorepo. +# Docs: https://github.com/gitleaks/gitleaks#configuration + +title = "gitleaks config" + +[extend] +# Use the upstream default ruleset as the base. +useDefault = true + +[allowlist] +description = "Test fixtures in __seeds__ directories use token-shaped dummy strings that are not real credentials." +paths = [ + '''__seeds__/''', +] diff --git a/.husky/pre-commit b/.husky/pre-commit index 92c418a..e8d39f8 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -19,3 +19,10 @@ node scripts/work/state-sync-guard.mjs || exit 1 # 4. Check library decision traces for new runtime deps in feature/core packages. node scripts/library-decisions/check.mjs || exit 1 + +# 5. Scan staged changes for secrets (skip gracefully if gitleaks is not installed). +if command -v gitleaks > /dev/null 2>&1; then + gitleaks protect --staged --redact || exit 1 +else + echo "gitleaks not found in \$PATH — skipping secret scan (install via brew install gitleaks or https://github.com/gitleaks/gitleaks)" +fi