chore(pre-commit): add gitleaks hook and YAML-only sealed-secrets allowlist

wajidzahoor-dls · wajidzahoor-dls · commit b7d665833c8d · 2025-10-02T14:19:57.000+01:00
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,15 @@
+[extend]
+useDefault = true
+
+[[rules]]
+id = "generic-api-key"
+
+# Pattern-only allowlist for long Ag… tokens in YAML 
+[[rules.allowlists]]
+condition = "AND"
+regexes = [
+  # Boundary-safe Ag… token without lookarounds (RE2-safe)
+  '''(?:^|[^A-Za-z0-9+/=])(Ag[A-Za-z0-9+/]{500,}={0,2})(?:[^A-Za-z0-9+/=]|$)'''
+]
+# Limit to YAML only for now. Comment this out if you want it to apply everywhere.
+paths = ['''(?i).*\.ya?ml$''']
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -30,3 +30,8 @@ repos:
         language: system
         entry: uv sync
         files: ^(uv\.lock|pyproject\.toml)$
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.28.0
+    hooks:
+      - id: gitleaks
