This document explains how secret scanning and prevention are implemented in the SoroTask repository.
We use Gitleaks for automated secret scanning to prevent accidental commits of sensitive credentials (API keys, private keys, etc.).
A dedicated GitHub Actions workflow (.github/workflows/secret-scan.yml) runs on every push and pull request. This workflow:
- Uses the official Gitleaks Action
- Scans the entire repository history
- Fails the CI if secrets are detected
- Produces detailed reports listing detected patterns
The workflow triggers on:
- All pushes to
main,feat/*, andfeature/*branches - All pull requests to
main,feat/*, andfeature/*branches
To enable pre-commit hooks locally:
-
Install pre-commit:
pip install pre-commit
-
Install the git hooks:
pre-commit install
-
Verify installation:
pre-commit run --all-files
The .pre-commit-config.yaml configures these checks:
- Gitleaks Detection: Scans for secret patterns before committing
- Private Key Detection: Identifies private key files
- Large Files: Prevents committing files larger than 1MB
- JSON Validation: Ensures JSON files are valid
- YAML Validation: Ensures YAML files are valid
- TOML Validation: Ensures TOML files are valid
Main Gitleaks configuration file that defines:
- Detection rules (includes default rules from Gitleaks)
- Custom rules for project-specific patterns
- Allowlist configurations for excluding false positives
Key allowlists:
- Test snapshots and fixture directories
- Documentation and README files
- Example environment files (
.env.example,.env.template) - Build artifacts and dependencies
File for ignoring false positives. Format options:
<commit_hash>:<line_number>:<rule_name>- Ignore specific lines<rule_name>- Ignore all detections of a specific rule
Defines all pre-commit hooks that run locally before commits.
If a legitimate value is flagged as a secret:
Add an entry to ignore the specific detection:
abc123def456:42:potential-api-key
Add patterns to the allowlist to exclude files or rules:
[allowlist]
paths = [
'''path/to/false/positive''',
'''test/fixtures''',
]If it's a real secret that was accidentally committed:
- Rotate all compromised credentials immediately
- Use tools like
git-filter-branchto remove from history - Force push the cleaned history
When working locally:
- Your pre-commit hooks will automatically run
- If secrets are detected, the commit will fail
- Fix the issues (remove secrets or add to allowlist)
- Try committing again
In rare cases where you need to bypass hooks:
git commit --no-verifyTo manually test if Gitleaks is working:
# Test with gitleaks CLI (if installed)
gitleaks detect --source . --verbose
# Test pre-commit hooks
pre-commit run gitleaks --all-filesNever commit:
- Private/secret keys (RSA, Ed25519, etc.)
- API keys and tokens
- Database passwords
- AWS/GCP/Azure credentials
- Private cryptocurrency keys
- OAuth tokens
- SSH keys
- NPM/PyPI authentication tokens
- Check the workflow output for specific rules that triggered
- If it's a false positive, update
.gitleaksignoreor.gitleaks.toml - Push the fix and re-run the workflow
- Verify installation:
pre-commit --version - Reinstall hooks:
pre-commit install - Run manually:
pre-commit run --all-files
Edit .gitleaks.toml and add new rules following Gitleaks rule documentation.