From 31ebbd34f39c172476d6ffe57d7921fc0ada84a7 Mon Sep 17 00:00:00 2001
From: ryoppippi <1560508+ryoppippi@users.noreply.github.com>
Date: Sun, 21 Dec 2025 15:11:31 +0000
Subject: [PATCH 1/2] feat(security): add gitleaks for secret detection

Integrate gitleaks to detect and prevent secrets from being committed:

- Add .gitleaks.toml configuration with default rules
- Add gitleaks to pre-commit hook via lefthook (runs first in pipeline)
- Add gitleaks job to CI workflow using gitleaks-action
- Add gitleaks to nix flake for local development

This replaces secretlint with a more widely adopted solution that
provides comprehensive detection of API keys, tokens, and credentials.
---
 .github/workflows/ci.yaml | 14 ++++++++++++++
 .gitleaks.toml            | 14 ++++++++++++++
 flake.nix                 |  3 +++
 lefthook.yaml             |  2 ++
 4 files changed, 33 insertions(+)
 create mode 100644 .gitleaks.toml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ba9c41f..dbd61ed 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -16,6 +16,20 @@ permissions:
   id-token: write
 
 jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup Nix
+        uses: ./.github/actions/setup-nix
+
+      - name: Run Gitleaks
+        run: nix develop --command gitleaks detect --source . --config .gitleaks.toml
+
   typos:
     runs-on: ubuntu-latest
     steps:
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 0000000..c1fcbd9
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,14 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+    '''\.lock$''',
+    '''\.snap$''',
+    '''go\.sum$''',
+    '''pnpm-lock\.yaml$''',
+]
diff --git a/flake.nix b/flake.nix
index e953f20..d0c4a00 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,9 @@
               nixfmt-rfc-style
               typos
               typos-lsp
+
+              # security
+              gitleaks
             ];
 
             shellHook = ''
diff --git a/lefthook.yaml b/lefthook.yaml
index 21bf81b..67aa5e8 100644
--- a/lefthook.yaml
+++ b/lefthook.yaml
@@ -1,6 +1,8 @@
 pre-commit:
   piped: true
   jobs:
+    - name: gitleaks
+      run: gitleaks protect --staged --config .gitleaks.toml
     - name: oxlint
       glob: '*.{ts,tsx,js,jsx,mts,cts}'
       run: pnpm oxlint --max-warnings=0 --type-aware --type-check --fix {staged_files}

From 71d21cbad9f13dabe8cf2665234eb9d573d380ee Mon Sep 17 00:00:00 2001
From: ryoppippi <1560508+ryoppippi@users.noreply.github.com>
Date: Sun, 21 Dec 2025 15:36:01 +0000
Subject: [PATCH 2/2] fix ignore

---
 .gitleaks.toml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.gitleaks.toml b/.gitleaks.toml
index c1fcbd9..3e4bd33 100644
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@@ -7,8 +7,5 @@ useDefault = true
 [allowlist]
 description = "Global allowlist"
 paths = [
-    '''\.lock$''',
-    '''\.snap$''',
-    '''go\.sum$''',
     '''pnpm-lock\.yaml$''',
 ]