f537f1ca7f
Replace non-blocking git-secrets with mandatory gitleaks scanning: - Pre-commit: blocks commit if gitleaks not installed or secrets found - CI: pinned gitleaks Docker image scans each commit in Woodpecker - Shared .gitleaks.toml with 12 custom rules for database URLs, alembic.ini, bearer tokens, PEM keys, docker-compose secrets, etc. - Stopwords suppress localhost/changeme/placeholder false positives - Install/verify scripts updated for gitleaks (no longer optional) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
16 lines
579 B
Plaintext
16 lines
579 B
Plaintext
npx lint-staged
|
|
|
|
# Secret scanning — gitleaks is REQUIRED (not optional like git-secrets was)
|
|
if ! command -v gitleaks &>/dev/null; then
|
|
echo ""
|
|
echo "ERROR: gitleaks is not installed. Secret scanning is required."
|
|
echo ""
|
|
echo "Install:"
|
|
echo " Linux: curl -sSfL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.24.0_linux_x64.tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
|
|
echo " macOS: brew install gitleaks"
|
|
echo " Windows: winget install gitleaks"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
gitleaks git --pre-commit --redact --staged --verbose
|