fix(ci): use gitleaks dir mode so pre-commit catches secrets in CI

svc-bionemo · svc-bionemo · commit bc61b0ed7b21 · 2026-04-20T12:06:29.000-07:00
The default gitleaks pre-commit hook entry uses `gitleaks git --pre-commit
--staged`, which scans staged git changes. In CI, `pre-commit run
--all-files` has no staged files, so gitleaks scans 0 commits and always
passes — even when secrets are present in the codebase.

Switch to `gitleaks dir --redact --verbose` which scans actual file
contents. This works correctly both during local `git commit` hooks and
in CI with `--all-files`.

Signed-off-by: svc-bionemo &lt;267129667+svc-bionemo@users.noreply.github.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -44,3 +44,8 @@ repos:
     rev: v8.24.2
     hooks:
       - id: gitleaks
+        # Override default entry: `gitleaks git --pre-commit --staged` only
+        # scans staged commits, which is a no-op in CI (`pre-commit run
+        # --all-files`).  `gitleaks dir` scans file contents directly, so it
+        # catches secrets both locally and in CI.
+        entry: gitleaks dir --redact --verbose
