feat: add gitleaks and trufflehog secret scanning hooks

[injectedfusion]

Summary

• gitleaks (gitleaks protect --staged): 150+ regex patterns covering API keys, tokens, passwords, connection strings. Runs on every commit, gracefully skips if binary missing.
• trufflehog (--only-verified): Entropy + pattern matching with live verification against issuing services. Only fails on confirmed active secrets — far lower FP rate than pattern-only tools.
• no-hardcoded-secrets retained for repos that cannot install system binaries (backward compat).

Defense in depth

Tool	Approach	Strength
no-hardcoded-secrets	3 YAML field name patterns	Lightweight, zero deps
gitleaks	150+ regex patterns (staged diff)	Broad coverage, fast
trufflehog	Entropy + patterns + live verification	Catches live secrets, very low FP

Installation requirement

Both hooks use language: script with graceful skip when binary not found:

brew install gitleaks trufflehog

Test plan

• Hook runs cleanly on repo with no secrets staged
• Hook catches a test secret (e.g., AKIA... AWS key pattern) in staged file
• Hook skips gracefully with warning when binary not in PATH
• shellcheck passes on both scripts

[gemini-code-assist]

Summary of Changes

Hello @injectedfusion, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the repository's security posture by introducing two new pre-commit hooks: gitleaks and trufflehog. These tools provide robust secret scanning capabilities, with gitleaks offering broad pattern-based detection and trufflehog focusing on verified live secrets to minimize false positives. The changes establish a multi-layered defense against accidental secret exposure, while ensuring flexibility for users by gracefully handling missing tool installations.

Highlights

• Gitleaks Integration: Integrated gitleaks as a pre-commit hook to scan staged changes for over 150 secret types using pattern matching, with graceful skipping if the binary is not found.
• Trufflehog Integration: Integrated trufflehog as a pre-commit hook for verified secret detection, utilizing entropy analysis and pattern matching with live verification to significantly reduce false positives.
• Enhanced Secret Scanning Defense: Established a defense-in-depth strategy by combining no-hardcoded-secrets (for lightweight checks), gitleaks (for broad pattern coverage), and trufflehog (for verified live secrets).
• Graceful Binary Handling: Implemented graceful skipping for both gitleaks and trufflehog hooks if their respective binaries are not found in the system's PATH, ensuring the hooks do not block commits unnecessarily.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .pre-commit-hooks.yaml
  • Added a new pre-commit hook definition for gitleaks to detect secrets.
  • Added a new pre-commit hook definition for trufflehog for verified secret detection.
  • Updated the description for the existing no-hardcoded-secrets hook, noting it's superseded but retained for compatibility.
• hooks/gitleaks.sh
  • Added a new shell script to execute gitleaks protect --staged, including logic to check for gitleaks installation and use per-repo configuration.
• hooks/trufflehog.sh
  • Added a new shell script to execute trufflehog git with --only-verified and --since-commit HEAD, including logic to check for trufflehog installation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[claude]

Claude finished @injectedfusion's task in 56s —— View job

---

Code Review: Secret Scanning Hooks

Status: 🔄 Needs Changes

---

✅ Strengths

Shell Script Quality:

• Both scripts correctly use set -euo pipefail for safety
• Proper error handling with graceful fallback when binaries are missing (exit 0, warning message)
• Good quoting practices: $repo_root and arrays properly quoted
• Clear documentation comments explaining purpose and installation steps

Hook Configuration (.pre-commit-hooks.yaml):

• Correct language: script setup
• Appropriate always_run: true and pass_filenames: false settings
• Descriptions clearly document binary requirements and behavior
• Good cross-reference between hooks (mentions "defense in depth")

Security Posture:

• No unsafe eval/exec patterns
• No credential leaks in scripts
• Proper credential handling with --fail and --only-verified flags
• Good user guidance for emergency bypass (--no-verify)

---

⚠️ Issues Found

1. [CRITICAL] trufflehog.sh - Staged Changes Detection (lines 23-27)

• The --since-commit HEAD flag scans commits since HEAD, but pre-commit hooks need to catch secrets in staged (uncommitted) changes
• This creates a gap: the hook may fail to detect secrets staged for the next commit
• Comparison: gitleaks explicitly uses gitleaks protect --staged for this exact use case
• Action Required: Verify trufflehog can scan staged changes with current flags, or adjust the command. See inline comment for alternatives.

---

Summary

The PR adds well-written, secure shell scripts with good error handling and documentation. However, the trufflehog hook has a functional gap: it may not properly detect secrets in staged changes, which is the core purpose of a pre-commit hook. The gitleaks hook appears correct, but trufflehog needs verification/adjustment to ensure it scans staged changes as intended.

Decision: Request changes until the trufflehog issue is resolved.

[claude]

Functional Concern: This command may not properly scan staged (uncommitted) changes. The --since-commit HEAD flag scans commits since HEAD, but pre-commit hooks run on staged files that haven't been committed yet.

For a pre-commit hook to catch secrets in staged changes (matching gitleaks behavior with --staged), trufflehog needs to scan the current working state. Consider:

1. Verify with trufflehog git file://... --since-commit HEAD~1..HEAD to check recent commits, OR
2. Use trufflehog filesystem mode to scan the working directory, OR
3. Document this limitation if the intent is to only catch committed secrets

Reference: gitleaks explicitly uses gitleaks protect --staged to scan only staged changes. This hook should have equivalent behavior.

[claude]

Please resolve the trufflehog staged changes detection issue before merging. See inline comment on hooks/trufflehog.sh for details.

[gemini-code-assist]

Code Review

The addition of gitleaks and trufflehog provides a robust multi-layered approach to secret detection. The scripts are well-implemented with graceful fallbacks when binaries are missing. However, there is a significant logic issue in the trufflehog hook configuration that prevents it from scanning the staged changes during a commit.

[gemini-code-assist]

In a pre-commit hook context, --since-commit HEAD will not scan the changes currently being committed (the staged changes). To ensure that secrets in the current commit attempt are caught, you should use the --staged flag instead.

Suggested change

	--since-commit HEAD \
	--staged \