mosaic/bootstrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add gitleaks secret scanning to quality rails

Browse Source 
Replace non-blocking git-secrets with mandatory gitleaks scanning:
- Pre-commit: blocks commit if gitleaks not installed or secrets found
- CI: pinned gitleaks Docker image scans each commit in Woodpecker
- Shared .gitleaks.toml with 12 custom rules for database URLs,
  alembic.ini, bearer tokens, PEM keys, docker-compose secrets, etc.
- Stopwords suppress localhost/changeme/placeholder false positives
- Install/verify scripts updated for gitleaks (no longer optional)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-24 14:45:24 -06:00
parent 8de2f7439a
commit f537f1ca7f
11 changed files with 306 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
tools/quality/scripts/verify.sh
View File

@@ -40,23 +40,35 @@ fi
git reset HEAD test-file.ts 2>/dev/null
rm test-file.ts 2>/dev/null
# Test 3: Hardcoded secret blocked (if git-secrets installed)
# Test 3a: gitleaks binary must be present
echo ""
echo "Test 3: Hardcoded secrets should be blocked..."
if command -v git-secrets &> /dev/null; then
echo "const password = 'SuperSecret123!';" > test-file.ts
git add test-file.ts 2>/dev/null
if git commit -m "Test commit" 2>&1 | grep -q -i "secret\|password"; then
echo "✅ PASS: Secrets blocked"
((PASSED++))
else
echo "⚠ WARN: Secrets NOT blocked (git-secrets may need configuration)"
((FAILED++))
fi
git reset HEAD test-file.ts 2>/dev/null
rm test-file.ts 2>/dev/null
echo "Test 3a: gitleaks must be installed..."
if command -v gitleaks &> /dev/null; then
echo "✅ PASS: gitleaks found ($(gitleaks version 2>/dev/null || echo 'unknown version'))"
PASSED=$((PASSED + 1))
else
echo "⚠ SKIP: git-secrets not installed"
echo "❌ FAIL: gitleaks is NOT installed — secret scanning will not work"
echo " Install: https://github.com/gitleaks/gitleaks#installing"
FAILED=$((FAILED + 1))
fi
# Test 3b: gitleaks detects a planted AWS key
echo ""
echo "Test 3b: gitleaks should detect planted AWS key..."
if command -v gitleaks &> /dev/null; then
echo 'aws_access_key_id = AKIAIOSFODNN7REALKEY' > gitleaks-test-secret.txt
git add gitleaks-test-secret.txt 2>/dev/null
if gitleaks git --pre-commit --staged --redact 2>&1 | grep -q -i "leak\|finding"; then
echo "✅ PASS: gitleaks detected planted secret"
PASSED=$((PASSED + 1))
else
echo "❌ FAIL: gitleaks did NOT detect planted secret"
FAILED=$((FAILED + 1))
fi
git reset HEAD gitleaks-test-secret.txt 2>/dev/null
rm gitleaks-test-secret.txt 2>/dev/null
else
echo "⚠ SKIP: gitleaks not installed (Test 3a already failed)"
fi
# Test 4: Lint error blocked