SEL-179 & SEL-312: Add gitleaks and GitGuardian scanning (#705)

* chore: add secret scanning setup * fix: correct GitGuardian action path * cr feedbacak * test husky commit * pr feedback * fix workflows * tweaks * fix versions * upgrade: migrate from husky v8 to v9 - Update husky from ^8.0.0 to ^9.1.7 - Change prepare script from 'husky install' to 'husky' - Remove v8 hook structure (shebang, husky.sh sourcing) - Delete .husky/_/ directory as it's not needed in v9 - Maintain gitleaks pre-commit hook functionality * coderabbitai feedback
2026-01-09 14:48:06 -05:00 · 2025-07-01 17:47:45 -07:00
parent 195688ddd9
commit 7aeb16b69b
10 changed files with 2883 additions and 1 deletions
--- a/.gitguardian.yml
+++ b/.gitguardian.yml
@@ -0,0 +1,4 @@
+version: 2
+exclusion_globs:
+  - "common/src/mock_certificates/**"
+  - "common/src/constants/mockCertificates.ts"
--- a/.github/workflows/gitguardian.yml
+++ b/.github/workflows/gitguardian.yml
@@ -0,0 +1,21 @@
+name: GitGuardian Scan
+
+on:
+  pull_request:
+
+jobs:
+  gitguardian:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # fetch all history so multiple commits can be scanned
+      - name: GitGuardian scan
+        uses: GitGuardian/ggshield/actions/secret@v1.41.0
+        env:
+          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+          GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
+          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -0,0 +1,20 @@
+name: Gitleaks Scan
+
+on:
+  pull_request:
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install gitleaks
+        uses: gitleaks/gitleaks-action@v2.3.9
+        with:
+          config-path: .gitleaks.toml
+          fail: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
--- a/.husky/_/.gitignore
+++ b/.husky/_/.gitignore
@@ -0,0 +1 @@
+*
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -0,0 +1,5 @@
+if ! yarn gitleaks; then
+  echo "❌ Gitleaks scan failed. Please review the output above and fix any issues."
+  echo "💡 To skip this check temporarily, use: git commit --no-verify"
+  exit 1
+fi
--- a/README.md
+++ b/README.md
@@ -62,6 +62,11 @@ The International Civil Aviation Organization (ICAO) is a specialized agency of
 - Passport Wallet: use [active authentication](https://en.wikipedia.org/wiki/Biometric_passport#:~:text=Active%20Authentication%20(AA),Using%20AA%20is%20optional.) to build a wallet, a multisig or a recovery module using passport signatures

 We will provide bounties for all those applications. Those are not fixed right now, so please contact us if you're interested.
+## Development Setup
+
+Run `yarn install` to bootstrap dependencies and husky hooks.
+Gitleaks will scan staged changes on each commit via `yarn gitleaks`.
+

 ## Licensing

--- a/app/env.sample
+++ b/app/env.sample
@@ -1,4 +1,6 @@
 ENABLE_DEBUG_LOGS=
+GITGUARDIAN_API_KEY=
+GITLEAKS_LICENSE=
 GOOGLE_SIGNIN_ANDROID_CLIENT_ID=
 IS_TEST_BUILD=
 MIXPANEL_NFC_PROJECT_TOKEN=
--- a/package.json
+++ b/package.json
@@ -13,10 +13,14 @@
    "format": "yarn workspaces foreach --parallel -i --all --exclude self-workspace-root run format",
    "lint": "yarn workspaces foreach --parallel -i --all --exclude self-workspace-root run lint",
    "types": "yarn workspaces foreach --topological-dev --parallel --exclude @selfxyz/contracts -i --all run types ",
-    "postinstall": "patch-package"
+    "postinstall": "patch-package",
+    "gitleaks": "gitleaks protect --staged --redact --config=.gitleaks.toml",
+    "prepare": "husky"
  },
  "packageManager": "yarn@4.6.0",
  "devDependencies": {
+    "gitleaks": "1.0.0",
+    "husky": "9.1.7",
    "patch-package": "^8.0.0",
    "postinstall-postinstall": "^2.1.0"
  }
--- a/yarn.lock
+++ b/yarn.lock
@@ -14260,6 +14260,13 @@ __metadata:
  languageName: node
  linkType: hard

+"gitleaks@npm:1.0.0":
+  version: 1.0.0
+  resolution: "gitleaks@npm:1.0.0"
+  checksum: 10c0/126d819495f6f5cb91390a67d2e41ff4f1140412b46501ae2e25f73de1282e94233ca8874946651dc0a70cb0bc346a58fdc292150520451efad6e71ef791dd25
+  languageName: node
+  linkType: hard
+
 "glob-parent@npm:^5.1.2, glob-parent@npm:~5.1.2":
  version: 5.1.2
  resolution: "glob-parent@npm:5.1.2"
@@ -14898,6 +14905,15 @@ __metadata:
  languageName: node
  linkType: hard

+"husky@npm:9.1.7":
+  version: 9.1.7
+  resolution: "husky@npm:9.1.7"
+  bin:
+    husky: bin.js
+  checksum: 10c0/35bb110a71086c48906aa7cd3ed4913fb913823715359d65e32e0b964cb1e255593b0ae8014a5005c66a68e6fa66c38dcfa8056dbbdfb8b0187c0ffe7ee3a58f
+  languageName: node
+  linkType: hard
+
 "i18n-iso-countries@npm:^7.13.0":
  version: 7.14.0
  resolution: "i18n-iso-countries@npm:7.14.0"
@@ -20664,6 +20680,8 @@ __metadata:
  version: 0.0.0-use.local
  resolution: "self-workspace-root@workspace:."
  dependencies:
+    gitleaks: "npm:1.0.0"
+    husky: "npm:9.1.7"
    patch-package: "npm:^8.0.0"
    postinstall-postinstall: "npm:^2.1.0"
  languageName: unknown