Skip to content

chore: add Gitleaks secret detection to pre-commit#2613

Merged
lpichler merged 4 commits intoRedHatInsights:masterfrom
lpichler:chore/add-gitleaks
Apr 20, 2026
Merged

chore: add Gitleaks secret detection to pre-commit#2613
lpichler merged 4 commits intoRedHatInsights:masterfrom
lpichler:chore/add-gitleaks

Conversation

@lpichler
Copy link
Copy Markdown
Contributor

@lpichler lpichler commented Mar 18, 2026
edited
Loading

Link(s) to Jira

  • N/A

Description of Intent of Change(s)

What

Adds Gitleaks secret detection as a pre-commit hook, along with developer setup documentation.

Why

Hardcoded secrets (API keys, passwords, tokens) in git history are a significant security risk. Once committed, removing them requires rewriting git history. Gitleaks scans staged changes before each commit and blocks the commit if a secret is detected.

How

  • Added gitleaks hook to .pre-commit-config.yaml (v8.30.1)
  • Added docs/pre-commit-setup.md with:
    • Installation and setup instructions
    • Warning about what happens if pre-commit is not installed locally
    • How to verify Gitleaks ran (look for "Detect hardcoded secrets" in commit output)
    • Note that the existing CI pipeline (.github/workflows/pre-commit.yml) acts as a safety net

Local Testing

  1. Install pre-commit: pip install pre-commit
  2. Install hooks: pre-commit install
  3. Run manually: pre-commit run gitleaks --all-files
  4. Verify it appears as "Detect hardcoded secrets" in commit output

Checklist

  • if API spec changes are required, is the spec updated?
  • are there any pre/post merge actions required? if so, document here.
  • are theses changes covered by unit tests?
  • if warranted, are documentation changes accounted for?
  • does this require migration changes?
    • if yes, are they backwards compatible?
  • is there known, direct impact to dependent teams/components?
    • if yes, how will this be handled?

No API spec, migration, or test changes needed — this is a tooling configuration change only.

Secure Coding Practices Checklist Link

Secure Coding Practices Checklist

  • Input Validation
  • Output Encoding
  • Authentication and Password Management
  • Session Management
  • Access Control
  • Cryptographic Practices
  • Error Handling and Logging
  • Data Protection
  • Communication Security
  • System Configuration
  • Database Security
  • File Management
  • Memory Management
  • General Coding Practices

@sourcery-ai
Copy link
Copy Markdown
Contributor

sourcery-ai Bot commented Mar 18, 2026
edited
Loading

Reviewer's Guide

Adds Gitleaks secret scanning to both local pre-commit hooks and GitHub Actions CI, including configuration, documentation, and minor pre-commit hook version bumps.

Sequence diagram for CI Gitleaks scan on pull request

sequenceDiagram
  actor Developer
  participant GitHub
  participant WorkflowDispatcher as GitHub_Actions_Workflow
  participant Checkout as actions_checkout_v4
  participant Gitleaks as gitleaks_gitleaks_action_v2
  participant GitHistory as Git_history

  Developer->>GitHub: Push branch and open pull request
  GitHub->>WorkflowDispatcher: Trigger gitleaks workflow (on pull_request)
  WorkflowDispatcher->>Checkout: Run with fetch-depth 0
  Checkout->>GitHistory: Fetch full git history
  WorkflowDispatcher->>Gitleaks: Run Gitleaks with GITHUB_TOKEN
  Gitleaks->>GitHistory: Scan repository and history for secrets
  Gitleaks-->>WorkflowDispatcher: Report pass or failures
  WorkflowDispatcher-->>GitHub: Update PR checks status
  GitHub-->>Developer: Display Gitleaks check result on PR
Loading

Flow diagram for local pre-commit Gitleaks execution

flowchart TD
  A[Developer stages changes] --> B[Developer runs git commit]
  B --> C[pre-commit framework starts]
  C --> D[Run formatting and lint hooks]
  D --> E[Run Gitleaks hook]
  E --> F{Secrets detected?}
  F -- Yes --> G[Fail commit and show Gitleaks findings]
  G --> H[Developer removes secrets and re-stages changes]
  H --> B
  F -- No --> I[All hooks passed]
  I --> J[Commit succeeds and is recorded in local history]
Loading

File-Level Changes

Change Details Files
Configure Gitleaks as a local pre-commit hook for secret detection.
  • Added gitleaks repo to pre-commit configuration pinned to v8.30.1.
  • Registered the gitleaks hook so it runs on staged changes during git commit.
  • Kept existing pre-commit hooks and structure intact while inserting the new hook block.
 .pre-commit-config.yaml
Introduce Gitleaks scanning in CI via a dedicated GitHub Actions workflow.
  • Created a gitleaks GitHub Actions workflow triggered on pull requests and pushes to main.
  • Configured checkout with fetch-depth: 0 so Gitleaks can scan full git history.
  • Used the official gitleaks/gitleaks-action@v2 with GITHUB_TOKEN supplied from repository secrets.
 .github/workflows/gitleaks.yml
Document pre-commit setup and usage, with emphasis on Gitleaks behavior and troubleshooting.
  • Added a pre-commit setup guide covering installation, hook installation, and verification.
  • Documented how to run all hooks and the Gitleaks hook specifically, plus common troubleshooting steps.
  • Explained CI/CD integration of Gitleaks and how it complements local hooks, including behavior differences and limitations.
 docs/pre-commit-setup.md
Update existing pre-commit tool versions and keep API spec validation hook configuration in sync.
  • Bumped Black version from 25.11.0 to 26.3.1 in pre-commit config.
  • Bumped django-upgrade from 1.29.1 to 1.30.0 in pre-commit config.
  • Repositioned the openapi-spec-validator hook configuration block without functional changes to its behavior (file patterns and excludes preserved).
 .pre-commit-config.yaml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai Bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In .pre-commit-config.yaml, the openapi-spec-validator repo now appears indented under the new gitleaks repo (note the - repo line), which will break the YAML structure—move it back to the top-level repos list so it remains a separate repo block.
  • The gitleaks pre-commit hook is currently added with default settings only; consider specifying the command/args (e.g., args: ["protect", "--staged", "--no-git"] and any config path) to ensure it scans only staged changes as intended and behaves consistently with your CI configuration.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- In `.pre-commit-config.yaml`, the `openapi-spec-validator` repo now appears indented under the new `gitleaks` repo (note the `-   repo` line), which will break the YAML structure—move it back to the top-level `repos` list so it remains a separate repo block.
- The `gitleaks` pre-commit hook is currently added with default settings only; consider specifying the command/args (e.g., `args: ["protect", "--staged", "--no-git"]` and any config path) to ensure it scans only staged changes as intended and behaves consistently with your CI configuration.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@lpichler lpichler force-pushed the chore/add-gitleaks branch from 02e5b17 to 263965e Compare March 18, 2026 13:58
@lpichler lpichler force-pushed the chore/add-gitleaks branch from 44db4f0 to 1732ef3 Compare March 18, 2026 20:35
@lpichler lpichler changed the title chore: add Gitleaks secret detection to pre-commit and CI chore: add Gitleaks secret detection to pre-commit Mar 18, 2026
lpichler and others added 2 commits March 19, 2026 09:09
@lpichler @claude
chore(pre-commit): add Gitleaks secret detection hook
23d8f18 
Add Gitleaks to the pre-commit configuration to automatically scan
staged changes for hardcoded secrets (API keys, passwords, tokens)
before each commit.

This prevents secrets from entering git history, which is critical
because removing them after the fact requires rewriting history.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@lpichler @claude
docs(pre-commit): add setup guide for developers
4c3870d 
Add documentation covering:
- How to install and configure pre-commit with Gitleaks
- Warning about what happens if pre-commit is not installed
- How to verify Gitleaks is running (look for "Detect hardcoded secrets")
- CI safety net via .github/workflows/pre-commit.yml
- Troubleshooting common issues

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@lpichler lpichler force-pushed the chore/add-gitleaks branch from 1732ef3 to 4c3870d Compare March 19, 2026 08:10
@lpichler
Copy link
Copy Markdown
Contributor Author

lpichler commented Mar 19, 2026

/retest

EvanCasey13
EvanCasey13 approved these changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@EvanCasey13 EvanCasey13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@lpichler
Copy link
Copy Markdown
Contributor Author

lpichler commented Mar 23, 2026

/retest

@lpichler lpichler merged commit a8bf57c into RedHatInsights:master Apr 20, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@astrozzc astrozzc astrozzc approved these changes

@EvanCasey13 EvanCasey13 EvanCasey13 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lpichler @astrozzc @EvanCasey13