Skip to content

chore: add gitleaks secret scanning to pre-commit hook#1968

Merged
Stephen Belanger (Qard) merged 1 commit intomainfrom
key-filtering
May 7, 2026
Merged

chore: add gitleaks secret scanning to pre-commit hook#1968
Stephen Belanger (Qard) merged 1 commit intomainfrom
key-filtering

Conversation

@Qard
Copy link
Copy Markdown
Contributor

@Qard Stephen Belanger (Qard) commented May 7, 2026

Summary

  • Adds gitleaks protect --staged to the Husky pre-commit hook to scan staged files for API keys and secrets before each commit
  • Adds .gitleaks.toml extending the default gitleaks ruleset with a custom rule for Braintrust API keys (sk- prefix)
  • Gracefully degrades with a warning if gitleaks is not installed, so contributors aren't hard-blocked until they install it

Setup

Developers need to install gitleaks once:

brew install gitleaks

Test plan

  • Stage a file containing a fake secret (e.g. sk-abc123...) and verify git commit is blocked
  • Verify git commit proceeds normally when no secrets are present
  • Verify the warning message appears when gitleaks is not installed

🤖 Generated with Claude Code

@claude
chore: add gitleaks secret scanning to pre-commit hook
0d933bc 
Adds gitleaks to the pre-commit hook to catch API keys and secrets before
they are committed. Extends the default ruleset with a custom rule for
Braintrust API keys. Gracefully degrades if gitleaks is not installed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Qard Stephen Belanger (Qard) merged commit 3789d1c into main May 7, 2026
42 checks passed
@Qard Stephen Belanger (Qard) deleted the key-filtering branch May 7, 2026 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@realark Andrew Kent (realark) realark approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Qard @realark