.github precommit hook preventing leak of secrets

bindiego · bindiego · commit 03c24de8e914 · 2025-07-22T14:46:26.000+08:00
diff --git a/.github/workflows/secret-detection.yml b/.github/workflows/secret-detection.yml
@@ -0,0 +1,35 @@
+name: Secret Detection
+
+on:
+  push:
+    branches: [ develop, main ]
+  pull_request:
+    branches: [ develop, main ]
+
+jobs:
+  secret-detection:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run Gitleaks
+      uses: gitleaks/gitleaks-action@v2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check for common secret patterns
+      run: |
+        # Check for common secret file patterns
+        if find . -name "*.key" -o -name "*.pem" -o -name "*.p12" -o -name "*.pfx" -o -name "*.jks" -o -name "secret*" -o -name "*secret*" | grep -v ".github" | head -1; then
+          echo "Error: Secret files detected!"
+          find . -name "*.key" -o -name "*.pem" -o -name "*.p12" -o -name "*.pfx" -o -name "*.jks" -o -name "secret*" -o -name "*secret*" | grep -v ".github"
+          exit 1
+        fi
+        
+        # Check for hardcoded secrets in files
+        if grep -r -E "(password|pwd|secret|key|token|api_key|apikey|access_key)" --include="*.py" --include="*.js" --include="*.ts" --include="*.yaml" --include="*.yml" --include="*.json" --exclude-dir=".github" --exclude-dir=".git" . | grep -v -E "(#|//|\*)" | head -1; then
+          echo "Warning: Potential hardcoded secrets found. Please review:"
+          grep -r -E "(password|pwd|secret|key|token|api_key|apikey|access_key)" --include="*.py" --include="*.js" --include="*.ts" --include="*.yaml" --include="*.yml" --include="*.json" --exclude-dir=".github" --exclude-dir=".git" . | grep -v -E "(#|//|\*)" || true
+        fi
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,21 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+    -   id: check-added-large-files
+    -   id: detect-private-key
+    -   id: check-yaml
+    -   id: check-json
+    -   id: check-merge-conflict
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+-   repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+    -   id: detect-secrets
+        args: ['--baseline', '.secrets.baseline']
+        exclude: package.lock.json
+-   repo: https://github.com/zricethezav/gitleaks
+    rev: v8.18.4
+    hooks:
+    -   id: gitleaks
