ci(tooling): add gitleaks pre-commit secret scan with __seeds__ allowlist

Blocks commits containing known secret patterns (e.g. Stripe sk_test_*) before they reach the remote. Exits gracefully with a warning when gitleaks is not in $PATH so developers who haven't installed it are not blocked. .gitleaks.toml extends the upstream default ruleset and allowlists __seeds__/** to prevent false positives from test fixtures. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 17:59:10 +00:00
parent 2f57003b55
commit 9b235c7d1c
2 changed files with 21 additions and 0 deletions
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -0,0 +1,14 @@
+# Gitleaks configuration for this monorepo.
+# Docs: https://github.com/gitleaks/gitleaks#configuration
+
+title = "gitleaks config"
+
+[extend]
+# Use the upstream default ruleset as the base.
+useDefault = true
+
+[allowlist]
+description = "Test fixtures in __seeds__ directories use token-shaped dummy strings that are not real credentials."
+paths = [
+  '''__seeds__/''',
+]
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -19,3 +19,10 @@ node scripts/work/state-sync-guard.mjs || exit 1

 # 4. Check library decision traces for new runtime deps in feature/core packages.
 node scripts/library-decisions/check.mjs || exit 1
+
+# 5. Scan staged changes for secrets (skip gracefully if gitleaks is not installed).
+if command -v gitleaks > /dev/null 2>&1; then
+  gitleaks protect --staged --redact || exit 1
+else
+  echo "gitleaks not found in \$PATH — skipping secret scan (install via brew install gitleaks or https://github.com/gitleaks/gitleaks)"
+fi