From efbb2a9d4c34caa772b91ab42fe077d11d499816 Mon Sep 17 00:00:00 2001
From: injectedfusion <6646111+injectedfusion@users.noreply.github.com>
Date: Thu, 19 Feb 2026 20:34:13 +0100
Subject: [PATCH] feat: add gitleaks and trufflehog secret scanning hooks

Adds defense-in-depth secret detection:
- gitleaks: 150+ patterns for staged changes (gitleaks protect --staged)
- trufflehog: entropy + pattern + live verification (--only-verified)

Both are language: system / graceful-skip when binary not in PATH.
no-hardcoded-secrets retained for backward compat with repos not on system binaries.

Closes: will reference from rk1-k8s-apps and other injectedfusion repos
---
 .pre-commit-hooks.yaml | 29 +++++++++++++++++++++++++++++
 hooks/gitleaks.sh      | 35 +++++++++++++++++++++++++++++++++++
 hooks/trufflehog.sh    | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100755 hooks/gitleaks.sh
 create mode 100755 hooks/trufflehog.sh

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
index 2111a56..d1aca99 100644
--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -27,11 +27,40 @@
     Detects hardcoded passwords, API keys, and secret keys in config files.
     Looks for patterns like password: "base64string..." while ignoring
     template references ($__env{}, secretRef, existingSecret).
+    NOTE: superseded by gitleaks/trufflehog for broader coverage; retained
+    for repos that cannot install system binaries.
   entry: hooks/no-hardcoded-secrets.sh
   language: script
   types: [yaml]
   stages: [pre-commit]
 
+- id: gitleaks
+  name: gitleaks (secret detection)
+  description: >
+    Scans staged changes for 150+ secret types using pattern matching:
+    API keys, tokens, passwords, connection strings, and more.
+    Per-repo config: place .gitleaks.toml in repo root to add allowlists.
+    Requires: gitleaks in PATH (brew install gitleaks).
+  entry: hooks/gitleaks.sh
+  language: script
+  always_run: true
+  pass_filenames: false
+  stages: [pre-commit]
+
+- id: trufflehog
+  name: trufflehog (verified secret detection)
+  description: >
+    Scans for secrets using entropy analysis + pattern matching, then verifies
+    them against the issuing service. Only fails on confirmed live secrets,
+    significantly reducing false positives vs pattern-only tools.
+    Complements gitleaks: use both for defense in depth.
+    Requires: trufflehog in PATH (brew install trufflehog).
+  entry: hooks/trufflehog.sh
+  language: script
+  always_run: true
+  pass_filenames: false
+  stages: [pre-commit]
+
 - id: require-signed-commits
   name: require signed commits
   description: >
diff --git a/hooks/gitleaks.sh b/hooks/gitleaks.sh
new file mode 100755
index 0000000..6bb929f
--- /dev/null
+++ b/hooks/gitleaks.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# gitleaks — scan staged changes for secrets using pattern matching.
+# Catches 150+ secret types: API keys, tokens, passwords, connection strings.
+#
+# Requires: gitleaks in PATH
+#   brew install gitleaks    (macOS)
+#   apt-get install gitleaks (Debian/Ubuntu)
+#
+# Per-repo config: place .gitleaks.toml in repo root to customize rules.
+# See: https://github.com/gitleaks/gitleaks#configuration
+
+set -euo pipefail
+
+if ! command -v gitleaks &> /dev/null; then
+  echo "⚠ gitleaks not found — secret scanning skipped"
+  echo "  Install: brew install gitleaks"
+  exit 0
+fi
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+# Use per-repo config if present, otherwise use gitleaks defaults
+config_args=()
+if [[ -f "$repo_root/.gitleaks.toml" ]]; then
+  config_args=(--config "$repo_root/.gitleaks.toml")
+fi
+
+if ! gitleaks protect --staged --source "$repo_root" --exit-code 1 --no-banner "${config_args[@]}" 2>&1; then
+  echo ""
+  echo "✗ gitleaks: secrets detected in staged changes"
+  echo "  Remove secrets, then re-stage the corrected files."
+  echo "  False positive? Add an allowlist entry to .gitleaks.toml"
+  echo "  To bypass (emergency only): git commit --no-verify"
+  exit 1
+fi
diff --git a/hooks/trufflehog.sh b/hooks/trufflehog.sh
new file mode 100755
index 0000000..6b7775b
--- /dev/null
+++ b/hooks/trufflehog.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# trufflehog — scan for verified secrets using entropy analysis + pattern matching.
+# Uses --only-verified to suppress noise: only reports secrets that were confirmed
+# active against the issuing service (reduces false positives significantly).
+#
+# Requires: trufflehog in PATH
+#   brew install trufflehog    (macOS)
+#   See: https://github.com/trufflesecurity/trufflehog#installation
+#
+# Note: complements gitleaks (pattern-based). TruffleHog's verification step
+# catches live secrets that pattern-only tools would flag as low-confidence.
+
+set -euo pipefail
+
+if ! command -v trufflehog &> /dev/null; then
+  echo "⚠ trufflehog not found — verified secret scanning skipped"
+  echo "  Install: brew install trufflehog"
+  exit 0
+fi
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+if ! trufflehog git "file://$repo_root" \
+    --since-commit HEAD \
+    --only-verified \
+    --fail \
+    --no-update \
+    2>&1; then
+  echo ""
+  echo "✗ trufflehog: verified live secrets detected"
+  echo "  Revoke these credentials immediately, then remove from code."
+  echo "  To bypass (emergency only): git commit --no-verify"
+  exit 1
+fi