Skip to content

Secret scanning#178

Open
quickweb-stack wants to merge 2 commits into
Dgetsylver:mainfrom
quickweb-stack:secret-scanning
Open

Secret scanning#178
quickweb-stack wants to merge 2 commits into
Dgetsylver:mainfrom
quickweb-stack:secret-scanning

Conversation

@quickweb-stack
Copy link
Copy Markdown

@quickweb-stack quickweb-stack commented May 29, 2026
edited
Loading

Close: #86

Summary

Here's the summary:

✅ Secret-Scanning Pre-commit (H2) — Done

Files created & committed (secret-scanning branch, a9d99fd)

File | Purpose -- | -- .gitleaks.toml | Custom ruleset extending gitleaks defaults .gitleaksignore | Fingerprint-based suppression for 2 historical findings .pre-commit-config.yaml | Wires gitleaks as a pre-commit hook (+ hygiene hooks) .github/workflows/secret-scan.yml | CI job — blocks PRs with detected secrets

Developer setup

bash
pip install pre-commit
pre-commit install          # hooks run on every git commit
pre-commit install --hook-type pre-push  # optional: also on push
## Related Issue

Closes #86

Checks

  • I read the contribution guide.
  • I kept this pull request scoped to the linked issue.
  • I ran the relevant local checks or explained why they were skipped.
  • For Drips wave issues, I claimed the issue before opening this pull request.

Notes for Reviewers

@OluRemiFour
Public bug-bounty program
33873fe
@OluRemiFour
feat: secret-scanning pre-commit with gitleaks (H2)
a9d99fd 
- .gitleaks.toml: custom ruleset extending gitleaks defaults
  - stellar-secret-key rule (would have caught D2 at author time)
  - resend-api-key and cloudflare-api-token rules
  - allowlists for known public Stellar addresses, lock files,
    snapshot fixtures, and PoC wallet addresses from bug bounty report

- .gitleaksignore: fingerprint-based suppression for 2 historical
  testnet-only false-positives in scripts/test_strategy.ts and
  scripts/deploy_strategy.ts (commit befb1e0, SCX6RZDD... key,
  confirmed testnet, zero mainnet exposure, documented in file)

- .pre-commit-config.yaml: wires gitleaks@v8.21.2 as pre-commit hook
  plus standard hygiene hooks (trailing-whitespace, check-yaml, etc.)
  Install: pip install pre-commit && pre-commit install

- .github/workflows/secret-scan.yml: CI job runs on every PR and
  push to main; blocks merge on any detected secret; posts inline PR
  annotation; prints remediation instructions on failure

Verified: gitleaks detect --config .gitleaks.toml -> no leaks found
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 29, 2026

@quickweb-stack Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@quickweb-stack
Copy link
Copy Markdown
Author

quickweb-stack commented May 29, 2026

Done, Close: #178 178

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

H2: Secret-scanning pre-commit (gitleaks)

2 participants

@quickweb-stack @OluRemiFour