Skip to content

Comments

feat: replace detect-secrets with gitleaks#164

Draft
vredchenko wants to merge 1 commit intomainfrom
chore/switch-to-gitleaks
Draft

feat: replace detect-secrets with gitleaks#164
vredchenko wants to merge 1 commit intomainfrom
chore/switch-to-gitleaks

Conversation

@vredchenko
Copy link
Collaborator

@vredchenko vredchenko commented Feb 20, 2026

Summary

  • Replace ~100-line detect-secrets CI workflow with ~15-line gitleaks-action workflow
  • Add .gitleaks.toml allowlist for known false positives (docs, claude-code, k8s templates)
  • Switch pre-commit hook from detect-secrets to gitleaks pre-push; add gitleaks to lefthook pre-push
  • Remove .secrets.baseline
  • Add ADR-0018 (supersedes ADR-0005)

Context

Audit of all DLS repos found no real secrets in git history, a broken baseline audit check (is_secret key absent vs null), and ~10x workflow overhead. Aligns with DLS org recommendation for gitleaks.

Ref: #139

Test plan

  • CI gitleaks workflow passes on this PR
  • gitleaks detect --source . locally confirms no unhandled findings
  • Pre-push hook works with gitleaks installed (gitleaks protect --staged --redact)

@vredchenko
feat: replace detect-secrets with gitleaks for secret scanning
5fa269a 
Audit found no real secrets in any repo history, broken baseline audit
check, and ~10x workflow overhead vs gitleaks. Aligns with DLS org
recommendation.

- Replace ~100-line detect-secrets CI workflow with gitleaks-action
- Add .gitleaks.toml allowlist for docs/claude-code/k8s false positives
- Switch pre-commit hook from detect-secrets to gitleaks pre-push
- Add gitleaks pre-push command to lefthook
- Remove .secrets.baseline
- Add ADR-0018, supersede ADR-0005

Ref: #139
@github-actions github-actions bot added documentation Improvements or additions to project documentation devops CI/CD, deployment, infrastructure, or tooling work labels Feb 20, 2026
@vredchenko vredchenko added admin Project maintenance, dependency updates, or housekeeping security Security fixes, audits, or vulnerability remediation labels Feb 20, 2026
@vredchenko vredchenko mentioned this pull request Feb 20, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

admin Project maintenance, dependency updates, or housekeeping devops CI/CD, deployment, infrastructure, or tooling work documentation Improvements or additions to project documentation security Security fixes, audits, or vulnerability remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vredchenko