Skip to content

feat(security): add gitleaks for secret detection #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ryoppippi merged 2 commits into from
Dec 22, 2025
Merged

feat(security): add gitleaks for secret detection #259

ryoppippi merged 2 commits into from
Dec 22, 2025

Conversation

@ryoppippi
Copy link
Member

@ryoppippi ryoppippi commented Dec 21, 2025
edited by cubic-dev-ai bot
Loading

Summary

  • Add gitleaks to detect and prevent secrets from being committed
  • Replaces secretlint with a more widely adopted solution

What Changed

  • Add .gitleaks.toml configuration with default rules
  • Add gitleaks to pre-commit hook via lefthook (runs first in pipeline)
  • Add gitleaks job to CI workflow using gitleaks-action
  • Add gitleaks to nix flake for local development

Summary by cubic

Add Gitleaks for secret detection across pre-commit, CI, and local dev to prevent secrets from being committed. Replaces secretlint with a more widely adopted tool.

  • New Features
    • Added .gitleaks.toml with default rules and allowlist for common lock files.
    • Pre-commit: runs gitleaks protect via Lefthook as the first job.
    • CI: added a gitleaks job that runs via Nix using .gitleaks.toml.
    • Nix flake: included gitleaks for local development.

Written for commit 71d21cb. Summary will update automatically on new commits.

Copilot AI review requested due to automatic review settings December 21, 2025 15:11
@ryoppippi ryoppippi requested a review from a team as a code owner December 21, 2025 15:11
@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 21, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/StackOneHQ/stackone-ai-node/@stackone/ai@259

commit: 71d21cb

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 21, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

@ryoppippi
feat(security): add gitleaks for secret detection
31ebbd3 
Integrate gitleaks to detect and prevent secrets from being committed:

- Add .gitleaks.toml configuration with default rules
- Add gitleaks to pre-commit hook via lefthook (runs first in pipeline)
- Add gitleaks job to CI workflow using gitleaks-action
- Add gitleaks to nix flake for local development

This replaces secretlint with a more widely adopted solution that
provides comprehensive detection of API keys, tokens, and credentials.
Copilot AI reviewed Dec 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR integrates gitleaks as a secret detection tool to prevent sensitive information from being committed to the repository. It replaces the previous secretlint solution with gitleaks, which is more widely adopted in the industry.

Key Changes:

  • Configured gitleaks with default rules and file allowlists for lock files and snapshots
  • Added gitleaks as the first job in the pre-commit hook pipeline via lefthook
  • Integrated gitleaks scanning into the CI workflow as a dedicated job

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.gitleaks.toml New configuration file with default rules enabled and allowlist for lock files and snapshots
lefthook.yaml Added gitleaks as the first pre-commit job to scan staged files before other checks
flake.nix Added gitleaks package to the Nix development environment for local tooling
.github/workflows/ci.yaml Added gitleaks job with full repository history scanning using the official gitleaks-action

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.gitleaks.toml Outdated
Comment on lines 12 to 14
'''go\.sum$''',
'''pnpm-lock\.yaml$''',
]
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The allowlist includes 'go.sum' but this appears to be a Node.js/TypeScript project with no Go files. While this doesn't cause any issues, it's unnecessary and could be removed to keep the configuration focused on the actual project structure.

Suggested change
'''go\.sum$''',
'''pnpm-lock\.yaml$''',
]
'''pnpm-lock\.yaml$''',
]

Copilot uses AI. Check for mistakes.
glebedel
glebedel approved these changes Dec 22, 2025
View reviewed changes
Copy link
Contributor

@glebedel glebedel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ryoppippi ryoppippi merged commit 4c89e91 into main Dec 22, 2025
20 checks passed
@ryoppippi ryoppippi deleted the feat/add-gitleaks branch December 22, 2025 10:17
@github-actions github-actions bot mentioned this pull request Dec 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@glebedel glebedel glebedel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ryoppippi @glebedel