Add secret scanning with gitleaks

Author: Boyeep

.github/workflows/template-ci.yml

@@ -10,6 +10,28 @@ permissions:
   contents: read
 
 jobs:
+  secret-scan:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.25.1"
+
+      - name: Scan git history for secrets
+        run: npm run check:secrets
+
   workflow-lint:
     name: Workflow Lint
     runs-on: ubuntu-latest

AGENTS.md

@@ -49,6 +49,7 @@ Use these commands before finishing work:
 
 ```bash
 npm run check:contract
+npm run check:secrets
 npm run check:workflows
 npm run check
 ```

CONTRIBUTING.md

@@ -75,6 +75,18 @@ If Go is available locally, you can also lint GitHub Actions workflows:
 npm run check:workflows
 ```
 
+If Go is available locally, you can also scan tracked git content for secrets:
+
+```bash
+npm run check:secrets
+```
+
+For a pre-commit style check on staged content, run:
+
+```bash
+npm run check:secrets -- --staged
+```
+
 ## Changing the API Contract
 
 If you modify request or response shapes:

README.md

@@ -96,6 +96,7 @@ npm run dev:down
 npm run api:types
 npm run check:contract
 npm run check:images
+npm run check:secrets
 npm run check:workflows
 npm run check
 ```
@@ -113,6 +114,8 @@ The root check runs:
 
 `check:images` is separate and intended for environments where a Docker daemon is available.
 
+`check:secrets` scans tracked git content with a pinned `gitleaks` version via Go.
+
 `check:workflows` lints `.github/workflows/` with a pinned `actionlint` version via Go.
 
 ## Releases

package.json

@@ -9,6 +9,7 @@
     "check:contract": "node scripts/check-contract-drift.mjs",
     "check:images": "node scripts/check-docker-builds.mjs",
     "check:release-smoke": "node scripts/check-release-smoke.mjs",
+    "check:secrets": "node scripts/check-secrets.mjs",
     "check:workflows": "node scripts/check-actionlint.mjs",
     "check": "node scripts/check.mjs"
   },

scripts/check-secrets.mjs

@@ -0,0 +1,47 @@
+import { spawnSync } from "node:child_process";
+import process from "node:process";
+
+const GITLEAKS_VERSION = process.env.GITLEAKS_VERSION ?? "v8.30.1";
+const shell = process.platform === "win32";
+
+function run(command, args, options = {}) {
+  return spawnSync(command, args, {
+    stdio: options.capture ? "pipe" : "inherit",
+    encoding: options.capture ? "utf8" : undefined,
+    shell,
+  });
+}
+
+const goVersion = run("go", ["version"], { capture: true });
+
+if (goVersion.error || goVersion.status !== 0) {
+  const details = [goVersion.stdout, goVersion.stderr].filter(Boolean).join("\n").trim();
+  console.error(
+    "Go is required to run secret scanning locally. Install Go or rely on the CI secret-scan job.",
+  );
+
+  if (details) {
+    console.error(details);
+  }
+
+  process.exit(goVersion.status ?? 1);
+}
+
+const args = [
+  "run",
+  `github.com/zricethezav/gitleaks/v8@${GITLEAKS_VERSION}`,
+  "git",
+  "--no-banner",
+  "--redact",
+  ".",
+  ...process.argv.slice(2),
+];
+
+const result = run("go", args);
+
+if (result.error) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+process.exit(result.status ?? 1);