Skip to content

ci: add gitleaks secret scanning (CI job + pre-commit hook)#21

Merged
riglar merged 2 commits into
devfrom
ci/secret-scanning
Jun 19, 2026
Merged

ci: add gitleaks secret scanning (CI job + pre-commit hook)#21
riglar merged 2 commits into
devfrom
ci/secret-scanning

Conversation

@riglar

@riglar riglar commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Why

Defense-in-depth secret scanning ahead of making this repo public. Scans for committed credentials at two points so nothing slips through.

What

  • CI secret-scan job (cli-ci.yml) — scans the full git history on every push/PR with a pinned gitleaks binary. Run directly (not gitleaks-action) to avoid the paid GITLEAKS_LICENSE required for org-owned repos. This is the enforced backstop.
  • Pre-commit hook (husky) — scans staged changes locally and blocks commits containing secrets. Skips gracefully with install instructions if the gitleaks binary is absent, so it never blocks a contributor who hasn't set it up.
  • Shared .gitleaks.toml — allowlists only the two public Supabase anon keys, by exact value (not by file path or the whole jwt rule) so a service_role JWT pasted into the same file would still be caught.
  • README — adds a Development + secret-scanning section (incl. brew install gitleaks).

Verification

Tested the hook locally against gitleaks 8.30.1:

Case Result
Clean staged change passes (exit 0)
Real secret staged (GitHub PAT) blocked (exit 1)
Public Supabase anon keys allowed via shared allowlist
gitleaks not installed skips gracefully (exit 0)

Full-history scan of the current repo is clean (the two anon keys are the only matches, and they're allowlisted).

🤖 Generated with Claude Code

riglar and others added 2 commits June 19, 2026 13:24
@riglar @claude
ci: add gitleaks secret scanning (CI job + pre-commit hook)
091c52c 
Add defense-in-depth secret scanning ahead of making the repo public:

- CI `secret-scan` job in cli-ci.yml scans full git history on every
  push/PR using a pinned gitleaks binary (run directly to avoid the
  gitleaks-action paid license for org repos).
- husky pre-commit hook scans staged changes locally and blocks commits
  containing secrets; skips gracefully if the gitleaks binary is absent.
- Shared .gitleaks.toml allowlists only the two public Supabase anon keys
  by exact value (not by file/rule), so a service_role JWT pasted into the
  same file would still be caught.
- README gains a Development + secret-scanning section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@riglar
Merge remote-tracking branch 'origin/dev' into ci/secret-scanning
a49f205
@claude

claude Bot commented Jun 19, 2026

Copy link
Copy Markdown

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

1 similar comment
@claude

claude Bot commented Jun 19, 2026

Copy link
Copy Markdown

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@riglar riglar merged commit c70243b into dev Jun 19, 2026
3 checks passed
@riglar riglar deleted the ci/secret-scanning branch June 19, 2026 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@riglar