Skip to content

Chore: [AEA-0000] - use gitleaks for secret scanning#657

Merged
anthony-nhs merged 1 commit intomainfrom
gitleaks
Apr 17, 2026
Merged

Chore: [AEA-0000] - use gitleaks for secret scanning#657
anthony-nhs merged 1 commit intomainfrom
gitleaks

Conversation

@anthony-nhs
Copy link
Copy Markdown
Contributor

@anthony-nhs anthony-nhs commented Apr 17, 2026

use gitleaks for secret scanning

Copilot AI review requested due to automatic review settings April 17, 2026 10:13
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the existing pre-commit secret scanning approach with a gitleaks-based hook, aiming to prevent committing secrets into the repository.

Changes:

  • Swap the pre-commit secret scanning hook from git-secrets to gitleaks.
  • Remove the .gitallowed allowlist file that was associated with the previous approach.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.pre-commit-config.yaml Replaces the secret-scanning pre-commit hook to run gitleaks.
.gitallowed Removes the legacy allowlist file used by the previous secret scanning setup.

Comment thread .pre-commit-config.yaml
Comment on lines +73 to +77
description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
entry: bash
args:
- -c
- 'git-secrets --pre_commit_hook'
- "gitleaks git --pre-commit --redact --staged --verbose"
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hook description says it scans commits, commit messages, and --no-ff merges, but the configured command (gitleaks git --pre-commit --staged) will only scan staged changes and won’t cover commit messages (and default_stages is pre-commit only). Please either update the description to match the actual behavior, or add the appropriate stage(s)/commands to scan commit messages as intended.

Copilot uses AI. Check for mistakes.
Comment thread .pre-commit-config.yaml
Comment on lines 74 to 78
entry: bash
args:
- -c
- 'git-secrets --pre_commit_hook'
- "gitleaks git --pre-commit --redact --staged --verbose"
language: system
Copy link

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This hook uses language: system and invokes gitleaks directly, but the repo’s make install target and docs don’t install/mention gitleaks. This will cause pre-commit to fail for contributors without a preinstalled gitleaks binary. Consider switching to the official pre-commit-managed gitleaks hook (pinned rev), or ensure gitleaks is installed as part of the project setup (and set pass_filenames: false / always_run: true like the other local hooks since filenames aren’t used).

Copilot uses AI. Check for mistakes.
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@anthony-nhs anthony-nhs merged commit 310bae9 into main Apr 17, 2026
15 checks passed
@anthony-nhs anthony-nhs deleted the gitleaks branch April 17, 2026 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anthony-nhs