diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4afd476..fdddd9f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,6 +16,20 @@ permissions: id-token: write jobs: + gitleaks: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + fetch-depth: 0 + + - name: Setup Nix + uses: ./.github/actions/setup-nix + + - name: Run Gitleaks + run: nix develop --command just gitleaks + typos: runs-on: ubuntu-latest steps: diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..d0fae37 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,13 @@ +# Gitleaks configuration +# https://github.com/gitleaks/gitleaks + +[extend] +useDefault = true + +[allowlist] +description = "Global allowlist" +paths = [ + '''\.lock$''', + '''\.snap$''', + '''uv\.lock$''', +] diff --git a/flake.nix b/flake.nix index 1dd048e..7121453 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,13 @@ pre-commit = { check.enable = false; # Skip check in flake (mypy needs Python env) settings.hooks = { + gitleaks = { + enable = true; + name = "gitleaks"; + entry = "${pkgs.gitleaks}/bin/gitleaks protect --staged --config .gitleaks.toml"; + language = "system"; + pass_filenames = false; + }; treefmt = { enable = true; package = config.treefmt.build.wrapper; @@ -85,6 +92,9 @@ typos typos-lsp basedpyright + + # security + gitleaks ]; shellHook = '' diff --git a/justfile b/justfile index 7edeaae..a789035 100644 --- a/justfile +++ b/justfile @@ -34,6 +34,10 @@ mypy: typos: typos --config typos.toml . +# Run gitleaks secret detection +gitleaks: + gitleaks detect --source . --config .gitleaks.toml + # Fix typos typos-fix: typos --config typos.toml --write-changes .