Overview
Added multi-layered secret detection system to prevent accidental credential commits and ensure repository security.
Components Implemented
1. Local Pre-commit Hook
- Tool: Gitleaks v8.18.0
- Trigger: Runs on every
git commit
- Config:
.pre-commit-config.yaml with auto-installation
- Status: ✅ All tests pass
2. Gitleaks Configuration
- File:
.gitleaks.toml
- Features:
- Detects JWTs, API keys, passwords, private keys
- Allowlist for test/demo tokens in
.smriti/knowledge/ documentation
- Regex patterns to ignore common test emails (@test.com, @acme.com)
- Scans full git history
3. GitHub Actions CI Pipeline
- File:
.github/workflows/secret-scan.yml
- Runs on: Push to main/staging and all PRs
- Tools:
- Gitleaks (primary detection)
- detect-secrets (secondary verification)
- Features:
- Automated scanning on every push
- Comments on PRs with findings
- Blocks merges if secrets detected
4. Additional Hooks
Via pre-commit framework:
- Detect private keys in code
- Check for merge conflicts
- Validate YAML files
- Prevent large file commits (>500KB)
Setup & Usage
Installation
The setup is automatic when developers clone the repo:
pre-commit install # (auto-runs on first commit)
Manual Scanning
# Scan current directory
gitleaks detect --source . -c .gitleaks.toml
# Scan git history
gitleaks detect --source . -c .gitleaks.toml --verbose
# Run all pre-commit hooks
pre-commit run --all-files
Configuration Details
.gitleaks.toml
- Paths allowlist: Excludes
.smriti/knowledge/ and test/ directories
- Regex allowlist: Ignores test email patterns
- Entropy detection: Enabled for high-entropy strings
Pre-commit Stages
- Default: Runs on commits (prevent push of secrets)
- CI: GitHub Actions validate on push and PRs
Testing
✅ All hooks validated:
- Gitleaks: PASSED
- Detect private key: PASSED
- Merge conflict detection: PASSED
- YAML validation: PASSED
- File size limits: PASSED
- Trailing whitespace: PASSED
Baseline established for knowledge base files containing test tokens.
Security Benefits
- Prevention: Stops secrets from entering git history
- Detection: Multi-tool approach catches edge cases
- Automation: No manual intervention required
- CI/CD Integration: Repository-wide enforcement
- Documentation: Clear ignoring patterns for legitimate test data
Future Enhancements
Related
Implements response to security alert about exposed credentials. Prevents similar incidents through automated scanning.
Overview
Added multi-layered secret detection system to prevent accidental credential commits and ensure repository security.
Components Implemented
1. Local Pre-commit Hook
git commit.pre-commit-config.yamlwith auto-installation2. Gitleaks Configuration
.gitleaks.toml.smriti/knowledge/documentation3. GitHub Actions CI Pipeline
.github/workflows/secret-scan.yml4. Additional Hooks
Via pre-commit framework:
Setup & Usage
Installation
The setup is automatic when developers clone the repo:
pre-commit install # (auto-runs on first commit)Manual Scanning
Configuration Details
.gitleaks.toml
.smriti/knowledge/andtest/directoriesPre-commit Stages
Testing
✅ All hooks validated:
Baseline established for knowledge base files containing test tokens.
Security Benefits
Future Enhancements
Related
Implements response to security alert about exposed credentials. Prevents similar incidents through automated scanning.