feat(security): add pre-commit hooks for secret detection (#50)

XiaoBoAI · web-flow · commit 582e28c692cd · 2026-01-09T14:26:38.000+08:00
* feat(security): add pre-commit hooks for secret detection

- Add gitleaks for hardcoded secrets detection
- Add detect-aws-credentials hook
- Add .gitleaks.toml for custom rules (AI/LLM API keys)

* fix(security): remove custom rules that override gitleaks defaults

- Remove openai-api-key, openai-project-key, anthropic-api-key rules
  (conflict with more accurate default gitleaks rules)
- Remove alibaba-cloud and huggingface rules (already in defaults)
- Keep only dashscope-api-key (Qwen specific, not in defaults)
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,40 @@
+# Gitleaks configuration for OpenJudge
+# This file configures secret detection rules
+
+title = "OpenJudge Gitleaks Config"
+
+[extend]
+# Extend the default gitleaks config
+useDefault = true
+
+# Allowed patterns (false positives)
+[allowlist]
+description = "Allowlist for false positives"
+
+# Exclude test files that may contain dummy secrets
+paths = [
+    '''site/.*''',
+    '''docs/.*\.html''',
+]
+
+# Exclude common false positive patterns
+regexes = [
+    # Example API key placeholders
+    '''sk-[A-Za-z0-9]{3}\.{3}[A-Za-z0-9]{3}''',
+    # Placeholder patterns
+    '''your[-_]?api[-_]?key''',
+    '''<YOUR[-_]?API[-_]?KEY>''',
+    '''REPLACE[-_]?WITH[-_]?YOUR[-_]?KEY''',
+    # Example/dummy patterns
+    '''example[-_]?key''',
+    '''dummy[-_]?key''',
+    '''test[-_]?key''',
+    '''fake[-_]?key''',
+]
+
+# Custom rule for Dashscope (Qwen) API keys (not in default gitleaks config)
+[[rules]]
+id = "dashscope-api-key"
+description = "Dashscope (Qwen) API Key"
+regex = '''(?i)(?:dashscope|qwen)[-_]?(?:api)?[-_]?key\s*[=:]\s*['"]?([a-zA-Z0-9-_]{20,})['"]?'''
+keywords = ["dashscope", "qwen"]
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,4 +1,9 @@
 repos:
+  # Detect secrets and prevent committing sensitive data
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.4
+    hooks:
+      - id: gitleaks
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
@@ -8,6 +13,8 @@ repos:
       - id: check-toml
       - id: check-json
       - id: detect-private-key
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
       - id: trailing-whitespace
   - repo: https://github.com/PyCQA/autoflake
     rev: v2.2.1
