Skip to content

feat: add gitleaks secret scanning#149

Open
vredchenko wants to merge 3 commits intomainfrom
chore/switch-to-gitleaks
Open

feat: add gitleaks secret scanning#149
vredchenko wants to merge 3 commits intomainfrom
chore/switch-to-gitleaks

Conversation

@vredchenko
Copy link
Copy Markdown
Contributor

@vredchenko vredchenko commented Feb 20, 2026
edited
Loading

Summary

  • Add gitleaks CI workflow for secret scanning (this repo previously had none)
  • Add lefthook with gitleaks pre-push hook
  • Add lefthook as devDependency with "prepare": "lefthook install" script
  • Add .gitleaks.toml placeholder (no known false positives)

Context

Audit of all DLS repos found that sci-react-ui was the only repo without any secret scanning. Adding gitleaks aligns it with the other four DLS repos.

Ref: DiamondLightSource/smartem-devtools#139
See: ADR-0018 in smartem-devtools

Test plan

  • CI gitleaks workflow passes on this PR
  • gitleaks detect --source . locally confirms no findings
  • Run pnpm install to generate lockfile update (not included in this PR)
  • Pre-push hook works with gitleaks installed (gitleaks protect --staged --redact)

@vredchenko vredchenko mentioned this pull request Feb 20, 2026
Open
4 tasks
@akademy akademy removed the admin label Mar 2, 2026
@akademy
Copy link
Copy Markdown
Member

akademy commented Apr 23, 2026
edited
Loading

Is this finished and waiting for a review?

vredchenko added a commit that referenced this pull request Apr 24, 2026
@vredchenko
fix(ci): swap gitleaks action for CLI to avoid license requirement
0c39c83 
gitleaks/gitleaks-action@v2 requires a paid GITLEAKS_LICENSE secret
for repos owned by organisations, which caused the scan to fail on
PR #149. The CLI (free under MIT) provides equivalent scanning and
is the pattern already used across smartem-frontend, smartem-devtools,
fandanGO-cryoem-dls, and smartem-decisions.
@vredchenko
feat: add gitleaks secret scanning
4325e2a 
This repo previously had no secret scanning. Add gitleaks to align
with all other DLS repos.

- Add gitleaks CI workflow
- Add lefthook with gitleaks pre-push hook
- Add lefthook as devDependency with prepare script
- Add empty .gitleaks.toml (no known false positives)

Note: run `pnpm install` to update lockfile after merging.

Ref: DiamondLightSource/smartem-devtools#139
See: ADR-0018 in smartem-devtools
@vredchenko
fix(ci): swap gitleaks action for CLI to avoid license requirement
2ac59e2 
gitleaks/gitleaks-action@v2 requires a paid GITLEAKS_LICENSE secret
for repos owned by organisations, which caused the scan to fail on
PR #149. The CLI (free under MIT) provides equivalent scanning and
is the pattern already used across smartem-frontend, smartem-devtools,
fandanGO-cryoem-dls, and smartem-decisions.
@vredchenko vredchenko force-pushed the chore/switch-to-gitleaks branch from 0c39c83 to 2ac59e2 Compare April 24, 2026 13:32
@vredchenko
chore: update pnpm-lock.yaml for lefthook
2a178ee 
The gitleaks commit added lefthook as a devDependency in package.json
but didn't update the lockfile. CI runs with --frozen-lockfile and
blocks on the drift. Regenerate lockfile to match package.json.
@vredchenko
Copy link
Copy Markdown
Contributor Author

vredchenko commented Apr 24, 2026
edited
Loading

PR #141 has pnpm.overrides that pins vulnerable transitive deps (including
lodash@^4.17.21 → 4.17.23 — the exact vulnerability PR #149 is hitting). The root cause is
pre-existing on main; pnpm audit queries live advisories, so main's CI passes stale (last
successful run was March 11) but any new push will hit the same lodash alert.

Correct sequencing:

  1. Bump PR version updates for npm deps flagged up as vulnerable by scanner #141's override from 4.17.23 → 4.18.1 (one line in package.json) + regenerate
    lockfile. That unblocks version updates for npm deps flagged up as vulnerable by scanner #141.
  2. Merge PR version updates for npm deps flagged up as vulnerable by scanner #141. Main gets the override.
  3. Rebase PR feat: add gitleaks secret scanning #149 onto main. It inherits the override → audit passes, gitleaks fix can land.

PR #141 is exactly for this (title: "version updates for npm deps flagged up as vulnerable by
scanner"), so bumping the override is in-scope for that PR.

@vredchenko vredchenko marked this pull request as ready for review April 24, 2026 15:07
@VictoriaBeilsten-Edmands
Copy link
Copy Markdown
Collaborator

VictoriaBeilsten-Edmands commented Apr 24, 2026

In the context section you've said
"Audit of all DLS repos found that sci-react-ui was the only repo without any secret scanning. Adding gitleaks aligns it with the other four DLS repos."
This is not correct.

PR #163 deals with the lodash patch.

@vredchenko
Copy link
Copy Markdown
Contributor Author

vredchenko commented Apr 24, 2026

In the context section you've said "Audit of all DLS repos found that sci-react-ui was the only repo without any secret scanning. Adding gitleaks aligns it with the other four DLS repos." This is not correct.

PR #163 deals with the lodash patch.

Yeah sorry that came from Claude - it meant the other 4 repos I work on

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

devops security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vredchenko @akademy @VictoriaBeilsten-Edmands