Commit 191c7dc
fix(ci): use gitleaks dir mode so pre-commit catches secrets in CI (NVIDIA#1556)
## Problem
The gitleaks pre-commit hook is silently passing in CI, even when
secrets are present. See
[NVIDIA#1551](NVIDIA#1551) which
includes a hardcoded `WANDB_API_KEY` that gitleaks did not flag.
**Root cause:** The default gitleaks hook entry is:
```
gitleaks git --pre-commit --redact --staged --verbose
```
This scans **staged git changes** — it works during an actual `git
commit`. But in CI, `static_checks.sh` runs:
```
pre-commit run --all-files
```
With `--all-files`, there are no staged files and no commit context, so
gitleaks scans **0 commits** and reports "no leaks found":
```
7:02PM INF 0 commits scanned.
7:02PM INF scanned ~0 bytes (0) in 28.9ms
7:02PM INF no leaks found
```
## Fix
Override the hook entry to use `gitleaks dir --redact --verbose`, which
scans **file contents** directly. This works correctly both:
- Locally during `git commit` (pre-commit hook)
- In CI with `pre-commit run --all-files`
## Testing
After this change, running `pre-commit run gitleaks --all-files` on the
repo will scan actual file contents instead of scanning 0 commits.
---------
Signed-off-by: svc-bionemo <267129667+svc-bionemo@users.noreply.github.com>
Signed-off-by: Peter St. John <pstjohn@nvidia.com>
Co-authored-by: svc-bionemo <267129667+svc-bionemo@users.noreply.github.com>
Co-authored-by: Peter St. John <pstjohn@nvidia.com>1 parent 8593a34 commit 191c7dc
1 file changed
Lines changed: 9 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
0 commit comments