fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

ci(tooling): add gitleaks pre-commit secret scan with __seeds__ allowlist

Browse Source 
Blocks commits containing known secret patterns (e.g. Stripe sk_test_*)
before they reach the remote. Exits gracefully with a warning when
gitleaks is not in $PATH so developers who haven't installed it are not
blocked. .gitleaks.toml extends the upstream default ruleset and
allowlists __seeds__/** to prevent false positives from test fixtures.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Danijel Martinek
2026-05-14 17:59:10 +00:00
parent 2f57003b55
commit 9b235c7d1c
2 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.husky/pre-commit
View File

@@ -19,3 +19,10 @@ node scripts/work/state-sync-guard.mjs || exit 1
# 4. Check library decision traces for new runtime deps in feature/core packages.
node scripts/library-decisions/check.mjs || exit 1
# 5. Scan staged changes for secrets (skip gracefully if gitleaks is not installed).
if command -v gitleaks > /dev/null 2>&1; then
gitleaks protect --staged --redact || exit 1
else
echo "gitleaks not found in \$PATH — skipping secret scan (install via brew install gitleaks or https://github.com/gitleaks/gitleaks)"
fi