Added gitleaks pre-commit and YAML-only sealed-secrets allowlist; comment 'paths' line in .gitleaks.toml to extend to all files

Wajid Zahoor · Wajid Zahoor · commit abc2f37b83f5 · 2025-09-10T11:32:06.000+01:00
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,15 @@
+[extend]
+useDefault = true
+
+[[rules]]
+id = "generic-api-key"
+
+# Pattern-only allowlist for long Ag… tokens in YAML 
+[[rules.allowlists]]
+condition = "AND"
+regexes = [
+  # Boundary-safe Ag… token without lookarounds (RE2-safe)
+  '''(?:^|[^A-Za-z0-9+/=])(Ag[A-Za-z0-9+/]{500,}={0,2})(?:[^A-Za-z0-9+/=]|$)'''
+]
+# Limit to YAML only for now. Comment this out if you want it to apply everywhere.
+paths = ['''(?i).*\.ya?ml$''']
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -22,3 +22,9 @@ repos:
         entry: ruff format --force-exclude
         types: [python]
         require_serial: true
+
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.28.0
+    hooks:
+      - id: gitleaks
