Chore: [AEA-0000] - use gitleaks for secret scanning#532
Chore: [AEA-0000] - use gitleaks for secret scanning#532anthony-nhs wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR switches the repository’s pre-commit secret scanning from git-secrets to gitleaks.
Changes:
- Replaces the existing
git-secretspre-commit hook with agitleakshook. - Adds a
.gitleaksignorefile to suppress current findings in test fixtures and sample documentation. - Removes the legacy
.gitallowedallowlist file used bygit-secrets.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .pre-commit-config.yaml | Swaps the secret scanning hook from git-secrets to gitleaks (currently via a system-installed binary). |
| .gitleaksignore | Adds commit-specific ignore entries for existing token-like strings in fixtures/docs. |
| .gitallowed | Deletes the git-secrets allowlist file no longer needed after the tool switch. |
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system |
There was a problem hiding this comment.
The gitleaks hook is currently configured without pass_filenames: false / always_run: true. With entry: bash -c ..., pre-commit will still append the staged filenames as extra bash parameters, and the hook can be skipped when no filenames are passed. Consider setting pass_filenames: false (and always_run: true if you want it to run on every commit) so the hook behavior is deterministic and not dependent on filename passing.
| language: system | |
| language: system | |
| pass_filenames: false | |
| always_run: true |
| - id: gitleaks | ||
| name: Git Leaks | ||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system | ||
|
|
There was a problem hiding this comment.
This hook relies on a system-installed gitleaks binary (language: system) but the config doesn’t pin a version like the other tool hooks (black/flake8). That can lead to different results (or failures) across developer machines/CI depending on the installed gitleaks version and CLI compatibility. Prefer using the official gitleaks pre-commit repo hook (pinned rev) or otherwise managing the gitleaks version in-repo (e.g., via a Make target/script that installs a specific version).
| 37bc8f37e5f717b2aac63783e8c6760d8e4babb5:packages/slackBotFunction/tests/example_command.json:generic-api-key:3 | ||
| 37bc8f37e5f717b2aac63783e8c6760d8e4babb5:packages/slackBotFunction/tests/example_command.json:generic-api-key:20 | ||
| 2979738bdff20c9d70de06d682f0e8e8932fd5e3:packages/slackBotFunction/tests/example_command.json:generic-api-key:3 | ||
| 2979738bdff20c9d70de06d682f0e8e8932fd5e3:packages/slackBotFunction/tests/example_command.json:generic-api-key:20 | ||
| 5627ebe762dc71b49801dc89da4c20e0cd339ece:packages/slackBotFunction/tests/example_event.json:generic-api-key:2 | ||
| 5627ebe762dc71b49801dc89da4c20e0cd339ece:packages/slackBotFunction/tests/example_action.json:generic-api-key:10 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:284 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:3040 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:5908 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:9290 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:14391 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:15297 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:19205 | ||
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:20174 |
There was a problem hiding this comment.
The new .gitleaksignore entries are commit-SHA-specific for fixtures/docs that contain token-like strings (e.g., Slack token/response_url values and Authorization: Bearer ... examples). This is brittle: any edit to those files will usually generate a new finding fingerprint and the ignore will stop working, creating recurring noise. Prefer sanitising those fixtures/docs to use obvious placeholders (so they don’t match secret patterns) and/or adding a path-/regex-based allowlist in a gitleaks config, reserving .gitleaksignore for one-off historical findings.
| 37bc8f37e5f717b2aac63783e8c6760d8e4babb5:packages/slackBotFunction/tests/example_command.json:generic-api-key:3 | |
| 37bc8f37e5f717b2aac63783e8c6760d8e4babb5:packages/slackBotFunction/tests/example_command.json:generic-api-key:20 | |
| 2979738bdff20c9d70de06d682f0e8e8932fd5e3:packages/slackBotFunction/tests/example_command.json:generic-api-key:3 | |
| 2979738bdff20c9d70de06d682f0e8e8932fd5e3:packages/slackBotFunction/tests/example_command.json:generic-api-key:20 | |
| 5627ebe762dc71b49801dc89da4c20e0cd339ece:packages/slackBotFunction/tests/example_event.json:generic-api-key:2 | |
| 5627ebe762dc71b49801dc89da4c20e0cd339ece:packages/slackBotFunction/tests/example_action.json:generic-api-key:10 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:284 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:3040 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:5908 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:9290 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:14391 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:15297 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:19205 | |
| 70f4f55f8a060fe2747bc3e4e61937d72c0fb0a9:sample_docs/eps_output.md:curl-auth-header:20174 |
| name: Git Leaks | ||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||
| entry: bash | ||
| args: | ||
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" |
There was a problem hiding this comment.
The hook description looks copied from git-secrets and may not reflect what this configuration actually does (it runs gitleaks ... --staged during pre-commit rather than scanning commit messages/merge commits). Updating the description to match the actual behavior will help contributors understand what is being scanned.
|
use gitleaks for secret scanning