Chore: [AEA-0000] - use gitleaks for secret scanning#739
Conversation
|
There was a problem hiding this comment.
Pull request overview
Switches the repo’s local pre-commit secret scanning from git-secrets to gitleaks, aligning developer workflows with the intended secret-scanning tool.
Changes:
- Replaced the local
git-secretspre-commit hook with agitleaks-based hook command. - Removed the
.gitallowedallowlist file previously used bygit-secrets.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .pre-commit-config.yaml | Updates the local secret-scanning pre-commit hook to run gitleaks. |
| .gitallowed | Removes the git-secrets allowlist file that is no longer used after switching tools. |
| - -c | ||
| - 'git-secrets --pre_commit_hook' | ||
| - "gitleaks git --pre-commit --redact --staged --verbose" | ||
| language: system |
There was a problem hiding this comment.
This hook uses language: system with entry: bash -c ... and doesn’t appear to consume the filenames pre-commit will pass by default. Consider setting pass_filenames: false (and, if you want a pinned/managed version, using the official gitleaks pre-commit repo instead of a system dependency) to avoid unnecessary args and potential command-line length issues when many files are staged.
| language: system | |
| language: system | |
| pass_filenames: false |
| description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | ||
| - id: gitleaks | ||
| name: Git Leaks | ||
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. |
There was a problem hiding this comment.
The hook description claims it scans commit messages and --no-ff merges, but this pre-commit hook runs at the pre-commit stage and the configured command appears to only scan staged content. Please update the description to reflect the actual behavior, or add separate hooks/stages (e.g., commit-msg/post-merge) if those checks are intended.
| description: gitleaks scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories. | |
| description: gitleaks scans staged changes during pre-commit to help prevent adding secrets to the repository. |
|
use gitleaks for secret scanning