Skip to content

Implement comprehensive secret scanning infrastructure #16

New issue
New issue
Open
Open
Implement comprehensive secret scanning infrastructure#16
@ashu17706

Description

@ashu17706
ashu17706
opened on Feb 12, 2026

Overview

Added multi-layered secret detection system to prevent accidental credential commits and ensure repository security.

Components Implemented

1. Local Pre-commit Hook

  • Tool: Gitleaks v8.18.0
  • Trigger: Runs on every git commit
  • Config: .pre-commit-config.yaml with auto-installation
  • Status: ✅ All tests pass

2. Gitleaks Configuration

  • File: .gitleaks.toml
  • Features:
    • Detects JWTs, API keys, passwords, private keys
    • Allowlist for test/demo tokens in .smriti/knowledge/ documentation
    • Regex patterns to ignore common test emails (@test.com, @acme.com)
    • Scans full git history

3. GitHub Actions CI Pipeline

  • File: .github/workflows/secret-scan.yml
  • Runs on: Push to main/staging and all PRs
  • Tools:
    • Gitleaks (primary detection)
    • detect-secrets (secondary verification)
  • Features:
    • Automated scanning on every push
    • Comments on PRs with findings
    • Blocks merges if secrets detected

4. Additional Hooks

Via pre-commit framework:

  • Detect private keys in code
  • Check for merge conflicts
  • Validate YAML files
  • Prevent large file commits (>500KB)

Setup & Usage

Installation

The setup is automatic when developers clone the repo:

pre-commit install  # (auto-runs on first commit)

Manual Scanning

# Scan current directory
gitleaks detect --source . -c .gitleaks.toml

# Scan git history
gitleaks detect --source . -c .gitleaks.toml --verbose

# Run all pre-commit hooks
pre-commit run --all-files

Configuration Details

.gitleaks.toml

  • Paths allowlist: Excludes .smriti/knowledge/ and test/ directories
  • Regex allowlist: Ignores test email patterns
  • Entropy detection: Enabled for high-entropy strings

Pre-commit Stages

  • Default: Runs on commits (prevent push of secrets)
  • CI: GitHub Actions validate on push and PRs

Testing

✅ All hooks validated:

  • Gitleaks: PASSED
  • Detect private key: PASSED
  • Merge conflict detection: PASSED
  • YAML validation: PASSED
  • File size limits: PASSED
  • Trailing whitespace: PASSED

Baseline established for knowledge base files containing test tokens.

Security Benefits

  1. Prevention: Stops secrets from entering git history
  2. Detection: Multi-tool approach catches edge cases
  3. Automation: No manual intervention required
  4. CI/CD Integration: Repository-wide enforcement
  5. Documentation: Clear ignoring patterns for legitimate test data

Future Enhancements

  • Setup GitGuardian API integration for real-time alerts
  • Add SAST scanning (static analysis)
  • Email notifications on secret detection
  • Automated rotation of compromised credentials
  • Team policy configuration

Related

Implements response to security alert about exposed credentials. Prevents similar incidents through automated scanning.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions