feat: add gitleaks and trufflehog secret scanning hooks

.pre-commit-hooks.yaml

@@ -27,11 +27,40 @@
     Detects hardcoded passwords, API keys, and secret keys in config files.
     Looks for patterns like password: "base64string..." while ignoring
     template references ($__env{}, secretRef, existingSecret).
+    NOTE: superseded by gitleaks/trufflehog for broader coverage; retained
+    for repos that cannot install system binaries.
   entry: hooks/no-hardcoded-secrets.sh
   language: script
   types: [yaml]
   stages: [pre-commit]
 
+- id: gitleaks
+  name: gitleaks (secret detection)
+  description: >
+    Scans staged changes for 150+ secret types using pattern matching:
+    API keys, tokens, passwords, connection strings, and more.
+    Per-repo config: place .gitleaks.toml in repo root to add allowlists.
+    Requires: gitleaks in PATH (brew install gitleaks).
+  entry: hooks/gitleaks.sh
+  language: script
+  always_run: true
+  pass_filenames: false
+  stages: [pre-commit]
+
+- id: trufflehog
+  name: trufflehog (verified secret detection)
+  description: >
+    Scans for secrets using entropy analysis + pattern matching, then verifies
+    them against the issuing service. Only fails on confirmed live secrets,
+    significantly reducing false positives vs pattern-only tools.
+    Complements gitleaks: use both for defense in depth.
+    Requires: trufflehog in PATH (brew install trufflehog).
+  entry: hooks/trufflehog.sh
+  language: script
+  always_run: true
+  pass_filenames: false
+  stages: [pre-commit]
+
 - id: require-signed-commits
   name: require signed commits
   description: >

hooks/gitleaks.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# gitleaks — scan staged changes for secrets using pattern matching.
+# Catches 150+ secret types: API keys, tokens, passwords, connection strings.
+#
+# Requires: gitleaks in PATH
+#   brew install gitleaks    (macOS)
+#   apt-get install gitleaks (Debian/Ubuntu)
+#
+# Per-repo config: place .gitleaks.toml in repo root to customize rules.
+# See: https://github.com/gitleaks/gitleaks#configuration
+
+set -euo pipefail
+
+if ! command -v gitleaks &> /dev/null; then
+  echo "⚠ gitleaks not found — secret scanning skipped"
+  echo "  Install: brew install gitleaks"
+  exit 0
+fi
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+# Use per-repo config if present, otherwise use gitleaks defaults
+config_args=()
+if [[ -f "$repo_root/.gitleaks.toml" ]]; then
+  config_args=(--config "$repo_root/.gitleaks.toml")
+fi
+
+if ! gitleaks protect --staged --source "$repo_root" --exit-code 1 --no-banner "${config_args[@]}" 2>&1; then
+  echo ""
+  echo "✗ gitleaks: secrets detected in staged changes"
+  echo "  Remove secrets, then re-stage the corrected files."
+  echo "  False positive? Add an allowlist entry to .gitleaks.toml"
+  echo "  To bypass (emergency only): git commit --no-verify"
+  exit 1
+fi

hooks/trufflehog.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# trufflehog — scan for verified secrets using entropy analysis + pattern matching.
+# Uses --only-verified to suppress noise: only reports secrets that were confirmed
+# active against the issuing service (reduces false positives significantly).
+#
+# Requires: trufflehog in PATH
+#   brew install trufflehog    (macOS)
+#   See: https://github.com/trufflesecurity/trufflehog#installation
+#
+# Note: complements gitleaks (pattern-based). TruffleHog's verification step
+# catches live secrets that pattern-only tools would flag as low-confidence.
+
+set -euo pipefail
+
+if ! command -v trufflehog &> /dev/null; then
+  echo "⚠ trufflehog not found — verified secret scanning skipped"
+  echo "  Install: brew install trufflehog"
+  exit 0
+fi
+
+repo_root="$(git rev-parse --show-toplevel)"
+
+if ! trufflehog git "file://$repo_root" \
+    --since-commit HEAD \
+    --only-verified \
+    --fail \
+    --no-update \
+    2>&1; then
+  echo ""
+  echo "✗ trufflehog: verified live secrets detected"
+  echo "  Revoke these credentials immediately, then remove from code."
+  echo "  To bypass (emergency only): git commit --no-verify"
+  exit 1
+fi