feat(security): add gitleaks for secret detection (#63)

Integrate gitleaks to detect and prevent secrets from being committed:

- Add .gitleaks.toml configuration with default rules
- Add gitleaks to pre-commit hook via git-hooks.nix
- Add gitleaks job to CI workflow using nix
- Add gitleaks command to justfile
- Add gitleaks to nix flake for local development

Author: ryoppippi

.github/workflows/ci.yaml

@@ -16,6 +16,20 @@ permissions:
   id-token: write
 
 jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup Nix
+        uses: ./.github/actions/setup-nix
+
+      - name: Run Gitleaks
+        run: nix develop --command just gitleaks
+
   typos:
     runs-on: ubuntu-latest
     steps:

.gitleaks.toml

@@ -0,0 +1,13 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+    '''\.lock$''',
+    '''\.snap$''',
+    '''uv\.lock$''',
+]

flake.nix

@@ -62,6 +62,13 @@
           pre-commit = {
             check.enable = false; # Skip check in flake (mypy needs Python env)
             settings.hooks = {
+              gitleaks = {
+                enable = true;
+                name = "gitleaks";
+                entry = "${pkgs.gitleaks}/bin/gitleaks protect --staged --config .gitleaks.toml";
+                language = "system";
+                pass_filenames = false;
+              };
               treefmt = {
                 enable = true;
                 package = config.treefmt.build.wrapper;
@@ -85,6 +92,9 @@
               typos
               typos-lsp
               basedpyright
+
+              # security
+              gitleaks
             ];
 
             shellHook = ''

justfile

@@ -34,6 +34,10 @@ mypy:
 typos:
 	typos --config typos.toml .
 
+# Run gitleaks secret detection
+gitleaks:
+	gitleaks detect --source . --config .gitleaks.toml
+
 # Fix typos
 typos-fix:
 	typos --config typos.toml --write-changes .