feat: add gitleaks secret scanning to quality rails (#5)

2026-02-24 20:46:50 +00:00
parent 8de2f7439a
commit 38223c8ec2
11 changed files with 306 additions and 20 deletions
--- a/tools/quality/scripts/verify.ps1
+++ b/tools/quality/scripts/verify.ps1
@@ -39,6 +39,40 @@ if ($output -match "no-explicit-any") {
 git reset HEAD test-file.ts 2>$null
 Remove-Item test-file.ts -ErrorAction SilentlyContinue

+# Test 3a: gitleaks binary must be present
+Write-Host ""
+Write-Host "Test 3a: gitleaks must be installed..."
+$gitleaksPath = Get-Command gitleaks -ErrorAction SilentlyContinue
+if ($gitleaksPath) {
+    $gitleaksVer = & gitleaks version 2>&1 | Out-String
+    Write-Host "✅ PASS: gitleaks found ($($gitleaksVer.Trim()))" -ForegroundColor Green
+    $Passed++
+} else {
+    Write-Host "❌ FAIL: gitleaks is NOT installed — secret scanning will not work" -ForegroundColor Red
+    Write-Host "  Install: winget install gitleaks"
+    $Failed++
+}
+
+# Test 3b: gitleaks detects a planted AWS key
+Write-Host ""
+Write-Host "Test 3b: gitleaks should detect planted AWS key..."
+if ($gitleaksPath) {
+    "aws_access_key_id = AKIAIOSFODNN7REALKEY" | Out-File -FilePath gitleaks-test-secret.txt -Encoding utf8
+    git add gitleaks-test-secret.txt 2>$null
+    $output = & gitleaks git --pre-commit --staged --redact 2>&1 | Out-String
+    if ($output -match "leak|finding") {
+        Write-Host "✅ PASS: gitleaks detected planted secret" -ForegroundColor Green
+        $Passed++
+    } else {
+        Write-Host "❌ FAIL: gitleaks did NOT detect planted secret" -ForegroundColor Red
+        $Failed++
+    }
+    git reset HEAD gitleaks-test-secret.txt 2>$null
+    Remove-Item gitleaks-test-secret.txt -ErrorAction SilentlyContinue
+} else {
+    Write-Host "⚠ SKIP: gitleaks not installed (Test 3a already failed)"
+}
+
 # Summary
 Write-Host ""
 Write-Host "═══════════════════════════════════════════"