feat: add gitleaks secret scanning to quality rails (#5)

tools/quality/templates/.gitleaks.toml

@@ -0,0 +1,162 @@
+# Mosaic Quality Rails — gitleaks configuration
+# Shared across all project templates. Copied to project root by install.sh.
+# Built-in rules: https://github.com/gitleaks/gitleaks/tree/master/config
+# This file adds custom rules for patterns the 150+ built-in rules miss.
+
+title = "Mosaic gitleaks config"
+
+[allowlist]
+  description = "Global allowlist — skip files that never contain real secrets"
+  paths = [
+    '''node_modules/''',
+    '''dist/''',
+    '''build/''',
+    '''\.next/''',
+    '''\.nuxt/''',
+    '''\.output/''',
+    '''coverage/''',
+    '''__pycache__/''',
+    '''\.venv/''',
+    '''vendor/''',
+    '''pnpm-lock\.yaml$''',
+    '''package-lock\.json$''',
+    '''yarn\.lock$''',
+    '''\.lock$''',
+    '''\.snap$''',
+    '''\.min\.js$''',
+    '''\.min\.css$''',
+    '''\.gitleaks\.toml$''',
+  ]
+  stopwords = [
+    "localhost",
+    "127.0.0.1",
+    "changeme",
+    "placeholder",
+    "example",
+    "example.com",
+    "test",
+    "dummy",
+    "fake",
+    "sample",
+    "your-",
+    "xxx",
+    "CHANGEME",
+    "PLACEHOLDER",
+    "TODO",
+    "REPLACE_ME",
+  ]
+
+# ──────────────────────────────────────────────
+# Custom rules — patterns the built-in rules miss
+# ──────────────────────────────────────────────
+
+[[rules]]
+  id = "database-url-with-credentials"
+  description = "Database connection URL with embedded password"
+  regex = '''(?i)(?:postgres(?:ql)?|mysql|mariadb|mongodb(?:\+srv)?|redis|amqp)://[^:\s]+:[^@\s]+@[^/\s]+'''
+  tags = ["database", "connection-string"]
+  [rules.allowlist]
+    stopwords = ["localhost", "127.0.0.1", "changeme", "password", "example", "test_", "placeholder"]
+
+[[rules]]
+  id = "alembic-ini-sqlalchemy-url"
+  description = "SQLAlchemy URL in alembic.ini with credentials"
+  regex = '''sqlalchemy\.url\s*=\s*\S+://[^:\s]+:[^@\s]+@\S+'''
+  paths = ['''alembic\.ini$''', '''\.ini$''']
+  tags = ["python", "alembic", "database"]
+  [rules.allowlist]
+    stopwords = ["localhost", "127.0.0.1", "changeme", "driver://user:pass"]
+
+[[rules]]
+  id = "dotenv-secret-value"
+  description = "High-entropy secret value in .env file"
+  regex = '''(?i)(?:SECRET|TOKEN|PASSWORD|KEY|CREDENTIALS|AUTH)[\w]*\s*=\s*['"]?[A-Za-z0-9/+=]{20,}['"]?\s*$'''
+  paths = ['''\.env$''', '''\.env\.\w+$''']
+  tags = ["dotenv", "secret"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "example", "your_", "REPLACE", "TODO"]
+
+[[rules]]
+  id = "jdbc-url-with-password"
+  description = "JDBC connection string with embedded password"
+  regex = '''jdbc:[a-z]+://[^;\s]+password=[^;\s&]+'''
+  tags = ["java", "jdbc", "database"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "example"]
+
+[[rules]]
+  id = "dsn-inline-password"
+  description = "DSN-style connection string with inline password"
+  regex = '''(?i)(?:dsn|connection_string|conn_str)\s*[:=]\s*\S+://[^:\s]+:[^@\s]+@\S+'''
+  tags = ["database", "connection-string"]
+  [rules.allowlist]
+    stopwords = ["localhost", "127.0.0.1", "changeme", "example"]
+
+[[rules]]
+  id = "hardcoded-password-variable"
+  description = "Hardcoded password assignment in source code"
+  regex = '''(?i)(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]'''
+  tags = ["password", "hardcoded"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "example", "test", "dummy", "password123", "your_password"]
+    paths = [
+      '''test[s]?/''',
+      '''spec[s]?/''',
+      '''__test__/''',
+      '''fixture[s]?/''',
+      '''mock[s]?/''',
+    ]
+
+[[rules]]
+  id = "bearer-token-in-code"
+  description = "Hardcoded bearer token in source code"
+  regex = '''(?i)['"]Bearer\s+[A-Za-z0-9\-._~+/]+=*['"]'''
+  tags = ["auth", "bearer", "token"]
+  [rules.allowlist]
+    stopwords = ["example", "test", "dummy", "placeholder", "fake"]
+
+[[rules]]
+  id = "spring-application-properties-password"
+  description = "Password in Spring Boot application properties"
+  regex = '''(?i)spring\.\w+\.password\s*=\s*\S+'''
+  paths = ['''application\.properties$''', '''application\.yml$''', '''application-\w+\.properties$''', '''application-\w+\.yml$''']
+  tags = ["java", "spring", "password"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "${"]
+
+[[rules]]
+  id = "docker-compose-env-secret"
+  description = "Hardcoded secret in docker-compose environment"
+  regex = '''(?i)(?:POSTGRES_PASSWORD|MYSQL_ROOT_PASSWORD|MYSQL_PASSWORD|REDIS_PASSWORD|RABBITMQ_DEFAULT_PASS|MONGO_INITDB_ROOT_PASSWORD)\s*[:=]\s*['"]?[^\s'"$]{8,}['"]?'''
+  paths = ['''compose\.ya?ml$''', '''docker-compose\.ya?ml$''']
+  tags = ["docker", "compose", "secret"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "example", "${"]
+
+[[rules]]
+  id = "terraform-variable-secret"
+  description = "Sensitive default value in Terraform variable"
+  regex = '''(?i)default\s*=\s*"[^"]{8,}"'''
+  paths = ['''variables\.tf$''', '''\.tf$''']
+  tags = ["terraform", "secret"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "example", "TODO"]
+
+[[rules]]
+  id = "private-key-pem-inline"
+  description = "PEM-encoded private key in source"
+  regex = '''-----BEGIN\s+(?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'''
+  tags = ["key", "pem", "private-key"]
+
+[[rules]]
+  id = "base64-encoded-secret"
+  description = "Base64 value assigned to secret-named variable"
+  regex = '''(?i)(?:secret|token|key|password|credentials)[\w]*\s*[:=]\s*['"]?[A-Za-z0-9+/]{40,}={0,2}['"]?'''
+  tags = ["base64", "encoded", "secret"]
+  [rules.allowlist]
+    stopwords = ["changeme", "placeholder", "example", "test"]
+    paths = [
+      '''test[s]?/''',
+      '''spec[s]?/''',
+      '''fixture[s]?/''',
+    ]

tools/quality/templates/monorepo/.husky/pre-commit

@@ -1,2 +1,15 @@
 npx lint-staged
-npx git-secrets --scan || echo "Warning: git-secrets not installed"
+
+# Secret scanning — gitleaks is REQUIRED (not optional like git-secrets was)
+if ! command -v gitleaks &>/dev/null; then
+  echo ""
+  echo "ERROR: gitleaks is not installed. Secret scanning is required."
+  echo ""
+  echo "Install:"
+  echo "  Linux:   curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
+  echo "  macOS:   brew install gitleaks"
+  echo "  Windows: winget install gitleaks"
+  echo ""
+  exit 1
+fi
+gitleaks git --pre-commit --redact --staged --verbose

tools/quality/templates/monorepo/.woodpecker.yml

@@ -4,11 +4,19 @@ when:
 
 variables:
   - &node_image "node:20-alpine"
+  - &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
   - &install_deps |
       corepack enable
       npm ci --ignore-scripts
 
 steps:
+  # Secret scanning (runs in parallel with install, no deps)
+  secret-scan:
+    image: *gitleaks_image
+    commands:
+      - gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
+    depends_on: []
+
   install:
     image: *node_image
     commands:
@@ -65,3 +73,4 @@ steps:
       - typecheck
       - test
       - security-audit
+      - secret-scan

tools/quality/templates/typescript-nextjs/.husky/pre-commit

@@ -1,2 +1,15 @@
 npx lint-staged
-npx git-secrets --scan || echo "Warning: git-secrets not installed"
+
+# Secret scanning — gitleaks is REQUIRED (not optional like git-secrets was)
+if ! command -v gitleaks &>/dev/null; then
+  echo ""
+  echo "ERROR: gitleaks is not installed. Secret scanning is required."
+  echo ""
+  echo "Install:"
+  echo "  Linux:   curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
+  echo "  macOS:   brew install gitleaks"
+  echo "  Windows: winget install gitleaks"
+  echo ""
+  exit 1
+fi
+gitleaks git --pre-commit --redact --staged --verbose

tools/quality/templates/typescript-nextjs/.woodpecker.yml

@@ -4,11 +4,19 @@ when:
 
 variables:
   - &node_image "node:20-alpine"
+  - &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
   - &install_deps |
       corepack enable
       npm ci --ignore-scripts
 
 steps:
+  # Secret scanning (runs in parallel with install, no deps)
+  secret-scan:
+    image: *gitleaks_image
+    commands:
+      - gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
+    depends_on: []
+
   install:
     image: *node_image
     commands:
@@ -65,3 +73,4 @@ steps:
       - typecheck
       - test
       - security-audit
+      - secret-scan

tools/quality/templates/typescript-node/.husky/pre-commit

@@ -1,2 +1,15 @@
 npx lint-staged
-npx git-secrets --scan || echo "Warning: git-secrets not installed"
+
+# Secret scanning — gitleaks is REQUIRED (not optional like git-secrets was)
+if ! command -v gitleaks &>/dev/null; then
+  echo ""
+  echo "ERROR: gitleaks is not installed. Secret scanning is required."
+  echo ""
+  echo "Install:"
+  echo "  Linux:   curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
+  echo "  macOS:   brew install gitleaks"
+  echo "  Windows: winget install gitleaks"
+  echo ""
+  exit 1
+fi
+gitleaks git --pre-commit --redact --staged --verbose

tools/quality/templates/typescript-node/.woodpecker.yml

@@ -6,11 +6,19 @@ when:
 
 variables:
   - &node_image "node:20-alpine"
+  - &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
   - &install_deps |
       corepack enable
       npm ci --ignore-scripts
 
 steps:
+  # Secret scanning (runs in parallel with install, no deps)
+  secret-scan:
+    image: *gitleaks_image
+    commands:
+      - gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
+    depends_on: []
+
   # Stage 1: Install
   install:
     image: *node_image
@@ -64,3 +72,4 @@ steps:
       - typecheck
       - test
       - security-audit
+      - secret-scan