From 3a561f1bf071a326b6c1a336e60b72f783a8fb9d Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 17 Oct 2025 17:21:42 -0500
Subject: [PATCH 1/7] feat: Add gitleaks hook

---
 modules/hooks.nix |   8 ++
 nix/tools.nix     | 220 +++++++++++++++++++++++-----------------------
 2 files changed, 119 insertions(+), 109 deletions(-)

diff --git a/modules/hooks.nix b/modules/hooks.nix
index 80801675..275c8aed 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3041,6 +3041,14 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
         package = tools.fprettify;
         entry = "${hooks.fprettify.package}/bin/fprettify";
       };
+      gitleaks = {
+        name = "gitleaks";
+        description = "Find secrets with Gitleaks";
+        entry = lib.getExe tools.gitleaks;
+        args = [ "git" ];
+        always_run = true;
+        stages = [ "post-commit" ];
+      };
       gitlint = {
         name = "gitlint";
         description = "Linting for your git commit messages";
diff --git a/nix/tools.nix b/nix/tools.nix
index 5c0fb1f1..e97472ae 100644
--- a/nix/tools.nix
+++ b/nix/tools.nix
@@ -1,112 +1,113 @@
-{ stdenv
-, lib
-, placeholder
-, actionlint
-, action-validator
-, alejandra
-, ansible-lint
-, biome
-, cabal2nix
-, callPackage
-, cargo
-, chart-testing
-, checkmake
-, circleci-cli
-, llvmPackages_latest
-, clippy
-, cljfmt
-, cmake-format
-, commitizen
-, comrak
-, conform
-, convco
-, crystal
-, cue
-, dart
-, deadnix
-, deno
-, dhall
-, dune_3
-, eclint
-, editorconfig-checker
-, elixir
-, elmPackages
-, flake-checker ? placeholder "flake-checker"
-, fprettify
-, git-annex
-, gitlint
-, gptcommit ? placeholder "gptcommit"
-, hadolint
-, haskell
-, haskellPackages
-, hledger-fmt ? placeholder "hledger-fmt"
-, hlint
-, hpack
-, html-tidy
-, keep-sorted
-, luaPackages
-, lua-language-server
-, lychee
-, julia-bin
-, mdformat
-, mdl
-, mdsh
-, nbstripout
-, nil
-, nixf-diagnose
-, nixfmt
-, nixfmt-classic ? placeholder "nixfmt-classic"
-, nixfmt-rfc-style ? placeholder "nixfmt-rfc-style"
-, nixpkgs-fmt
-, nodePackages
-, ocamlPackages
-, opam
-, opentofu
-, ormolu
-, pkgsBuildBuild
-, poetry
-, pre-commit-hook-ensure-sops ? placeholder "pre-commit-hook-ensure-sops"
-, proselint
-, python3Packages
-, pyright ? nodePackages.pyright
-, phpPackages
-, ripsecrets ? placeholder "ripsecrets"
-, regal
-, reuse
-, ruff ? placeholder "ruff"
-, rumdl ? placeholder "rumdl"
-, rustfmt
-, selene
-, shellcheck
-, bats
-, shfmt
-, beautysh
-, statix
-, stylish-haskell
-, stylua
-, tagref
-, taplo
-, texlive
-, # Added in nixpkgs on Dec 2, 2022
-  topiary ? placeholder "topiary"
-, treefmt
-, trufflehog
-, typos
-, # Added in nixpkgs in commit 800ca60
-  typstyle ? placeholder "typstyle"
-, woodpecker-cli
-, zprint
-, yamlfmt
-, yamllint
-, go
-, go-tools
-, golangci-lint
-, golines
-, revive ? placeholder "revive"
-, uv
-, vale
-, zizmor
-,
+{
+  stdenv,
+  lib,
+  placeholder,
+  actionlint,
+  action-validator,
+  alejandra,
+  ansible-lint,
+  biome,
+  cabal2nix,
+  callPackage,
+  cargo,
+  chart-testing,
+  checkmake,
+  circleci-cli,
+  llvmPackages_latest,
+  clippy,
+  cljfmt,
+  cmake-format,
+  commitizen,
+  comrak,
+  conform,
+  convco,
+  crystal,
+  cue,
+  dart,
+  deadnix,
+  deno,
+  dhall,
+  dune_3,
+  eclint,
+  editorconfig-checker,
+  elixir,
+  elmPackages,
+  flake-checker ? placeholder "flake-checker",
+  fprettify,
+  git-annex,
+  gitleaks,
+  gitlint,
+  gptcommit ? placeholder "gptcommit",
+  hadolint,
+  haskell,
+  haskellPackages,
+  hledger-fmt ? placeholder "hledger-fmt",
+  hlint,
+  hpack,
+  html-tidy,
+  keep-sorted,
+  luaPackages,
+  lua-language-server,
+  lychee,
+  julia-bin,
+  mdformat,
+  mdl,
+  mdsh,
+  nbstripout,
+  nil,
+  nixf-diagnose,
+  nixfmt,
+  nixfmt-classic ? placeholder "nixfmt-classic",
+  nixfmt-rfc-style ? placeholder "nixfmt-rfc-style",
+  nixpkgs-fmt,
+  nodePackages,
+  ocamlPackages,
+  opam,
+  opentofu,
+  ormolu,
+  pkgsBuildBuild,
+  poetry,
+  pre-commit-hook-ensure-sops ? placeholder "pre-commit-hook-ensure-sops",
+  proselint,
+  python3Packages,
+  pyright ? nodePackages.pyright,
+  phpPackages,
+  ripsecrets ? placeholder "ripsecrets",
+  regal,
+  reuse,
+  ruff ? placeholder "ruff",
+  rumdl ? placeholder "rumdl",
+  rustfmt,
+  selene,
+  shellcheck,
+  bats,
+  shfmt,
+  beautysh,
+  statix,
+  stylish-haskell,
+  stylua,
+  tagref,
+  taplo,
+  texlive,
+  # Added in nixpkgs on Dec 2, 2022
+  topiary ? placeholder "topiary",
+  treefmt,
+  trufflehog,
+  typos,
+  # Added in nixpkgs in commit 800ca60
+  typstyle ? placeholder "typstyle",
+  woodpecker-cli,
+  zprint,
+  yamlfmt,
+  yamllint,
+  go,
+  go-tools,
+  golangci-lint,
+  golines,
+  revive ? placeholder "revive",
+  uv,
+  vale,
+  zizmor,
 }:
 
 let
@@ -146,6 +147,7 @@ in
     flake-checker
     fprettify
     git-annex
+    gitleaks
     gitlint
     go
     go-tools

From 06eb674b6faaf5cecce0e622c7841f9d3f972dfa Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 17 Oct 2025 17:23:09 -0500
Subject: [PATCH 2/7] docs: Add reference to gitleaks

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 8abb7b6d..2cbb5990 100644
--- a/README.md
+++ b/README.md
@@ -387,6 +387,7 @@ hooks](modules/pre-commit.nix).
 - [commitizen](https://github.com/commitizen-tools/commitizen)
 - [convco](https://github.com/convco/convco)
 - [forbid-new-submodules](https://github.com/pre-commit/pre-commit-hooks/blob/main/pre_commit_hooks/forbid_new_submodules.py)
+- [gitleaks](https://github.com/gitleaks/gitleaks)
 - [gitlint](https://github.com/jorisroovers/gitlint)
 - [gptcommit](https://github.com/zurawiki/gptcommit)
 - [no-commit-to-branch](https://github.com/pre-commit/pre-commit-hooks/blob/main/pre_commit_hooks/no_commit_to_branch.py)

From e986f7a3b11223d33e097195616b86e56933ee2d Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 17 Oct 2025 17:24:30 -0500
Subject: [PATCH 3/7] Add `-v` to args

---
 modules/hooks.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/hooks.nix b/modules/hooks.nix
index 275c8aed..44be3468 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3045,7 +3045,7 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
         name = "gitleaks";
         description = "Find secrets with Gitleaks";
         entry = lib.getExe tools.gitleaks;
-        args = [ "git" ];
+        args = [ "git" "-v" ];
         always_run = true;
         stages = [ "post-commit" ];
       };

From b6ebc087e909a32064afa3c325b7220e9cc1686d Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 6 Mar 2026 21:12:58 -0500
Subject: [PATCH 4/7] feat: Update hook based on gitleaks pre-commit example

---
 modules/hooks.nix | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/modules/hooks.nix b/modules/hooks.nix
index 44be3468..5be426f1 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3043,11 +3043,9 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
       };
       gitleaks = {
         name = "gitleaks";
-        description = "Find secrets with Gitleaks";
-        entry = lib.getExe tools.gitleaks;
-        args = [ "git" "-v" ];
-        always_run = true;
-        stages = [ "post-commit" ];
+        description = "Detect hardcoded secrets using Gitleaks";
+        package = tools.gitleaks;
+        args = [ "git" "--pre-commit" "--redact" "--staged" "--verbose" ];
       };
       gitlint = {
         name = "gitlint";

From 517efee92c6c9bc1eaf42d399abd11c270bb50f8 Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 6 Mar 2026 21:17:53 -0500
Subject: [PATCH 5/7] Fix nix/tools.nix format

---
 nix/tools.nix | 220 +++++++++++++++++++++++++-------------------------
 1 file changed, 110 insertions(+), 110 deletions(-)

diff --git a/nix/tools.nix b/nix/tools.nix
index e97472ae..9278b7d7 100644
--- a/nix/tools.nix
+++ b/nix/tools.nix
@@ -1,113 +1,113 @@
-{
-  stdenv,
-  lib,
-  placeholder,
-  actionlint,
-  action-validator,
-  alejandra,
-  ansible-lint,
-  biome,
-  cabal2nix,
-  callPackage,
-  cargo,
-  chart-testing,
-  checkmake,
-  circleci-cli,
-  llvmPackages_latest,
-  clippy,
-  cljfmt,
-  cmake-format,
-  commitizen,
-  comrak,
-  conform,
-  convco,
-  crystal,
-  cue,
-  dart,
-  deadnix,
-  deno,
-  dhall,
-  dune_3,
-  eclint,
-  editorconfig-checker,
-  elixir,
-  elmPackages,
-  flake-checker ? placeholder "flake-checker",
-  fprettify,
-  git-annex,
-  gitleaks,
-  gitlint,
-  gptcommit ? placeholder "gptcommit",
-  hadolint,
-  haskell,
-  haskellPackages,
-  hledger-fmt ? placeholder "hledger-fmt",
-  hlint,
-  hpack,
-  html-tidy,
-  keep-sorted,
-  luaPackages,
-  lua-language-server,
-  lychee,
-  julia-bin,
-  mdformat,
-  mdl,
-  mdsh,
-  nbstripout,
-  nil,
-  nixf-diagnose,
-  nixfmt,
-  nixfmt-classic ? placeholder "nixfmt-classic",
-  nixfmt-rfc-style ? placeholder "nixfmt-rfc-style",
-  nixpkgs-fmt,
-  nodePackages,
-  ocamlPackages,
-  opam,
-  opentofu,
-  ormolu,
-  pkgsBuildBuild,
-  poetry,
-  pre-commit-hook-ensure-sops ? placeholder "pre-commit-hook-ensure-sops",
-  proselint,
-  python3Packages,
-  pyright ? nodePackages.pyright,
-  phpPackages,
-  ripsecrets ? placeholder "ripsecrets",
-  regal,
-  reuse,
-  ruff ? placeholder "ruff",
-  rumdl ? placeholder "rumdl",
-  rustfmt,
-  selene,
-  shellcheck,
-  bats,
-  shfmt,
-  beautysh,
-  statix,
-  stylish-haskell,
-  stylua,
-  tagref,
-  taplo,
-  texlive,
-  # Added in nixpkgs on Dec 2, 2022
-  topiary ? placeholder "topiary",
-  treefmt,
-  trufflehog,
-  typos,
-  # Added in nixpkgs in commit 800ca60
-  typstyle ? placeholder "typstyle",
-  woodpecker-cli,
-  zprint,
-  yamlfmt,
-  yamllint,
-  go,
-  go-tools,
-  golangci-lint,
-  golines,
-  revive ? placeholder "revive",
-  uv,
-  vale,
-  zizmor,
+{ stdenv
+, lib
+, placeholder
+, actionlint
+, action-validator
+, alejandra
+, ansible-lint
+, biome
+, cabal2nix
+, callPackage
+, cargo
+, chart-testing
+, checkmake
+, circleci-cli
+, llvmPackages_latest
+, clippy
+, cljfmt
+, cmake-format
+, commitizen
+, comrak
+, conform
+, convco
+, crystal
+, cue
+, dart
+, deadnix
+, deno
+, dhall
+, dune_3
+, eclint
+, editorconfig-checker
+, elixir
+, elmPackages
+, flake-checker ? placeholder "flake-checker"
+, fprettify
+, git-annex
+, gitleaks
+, gitlint
+, gptcommit ? placeholder "gptcommit"
+, hadolint
+, haskell
+, haskellPackages
+, hledger-fmt ? placeholder "hledger-fmt"
+, hlint
+, hpack
+, html-tidy
+, keep-sorted
+, luaPackages
+, lua-language-server
+, lychee
+, julia-bin
+, mdformat
+, mdl
+, mdsh
+, nbstripout
+, nil
+, nixf-diagnose
+, nixfmt
+, nixfmt-classic ? placeholder "nixfmt-classic"
+, nixfmt-rfc-style ? placeholder "nixfmt-rfc-style"
+, nixpkgs-fmt
+, nodePackages
+, ocamlPackages
+, opam
+, opentofu
+, ormolu
+, pkgsBuildBuild
+, poetry
+, pre-commit-hook-ensure-sops ? placeholder "pre-commit-hook-ensure-sops"
+, proselint
+, python3Packages
+, pyright ? nodePackages.pyright
+, phpPackages
+, ripsecrets ? placeholder "ripsecrets"
+, regal
+, reuse
+, ruff ? placeholder "ruff"
+, rumdl ? placeholder "rumdl"
+, rustfmt
+, selene
+, shellcheck
+, bats
+, shfmt
+, beautysh
+, statix
+, stylish-haskell
+, stylua
+, tagref
+, taplo
+, texlive
+, # Added in nixpkgs on Dec 2, 2022
+  topiary ? placeholder "topiary"
+, treefmt
+, trufflehog
+, typos
+, # Added in nixpkgs in commit 800ca60
+  typstyle ? placeholder "typstyle"
+, woodpecker-cli
+, zprint
+, yamlfmt
+, yamllint
+, go
+, go-tools
+, golangci-lint
+, golines
+, revive ? placeholder "revive"
+, uv
+, vale
+, zizmor
+,
 }:
 
 let

From 607e1377ed959de9ce81360f62d349edbd033363 Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 6 Mar 2026 21:23:08 -0500
Subject: [PATCH 6/7] Add missing entry

---
 modules/hooks.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/hooks.nix b/modules/hooks.nix
index 5be426f1..7ab4ee7e 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3044,6 +3044,7 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
       gitleaks = {
         name = "gitleaks";
         description = "Detect hardcoded secrets using Gitleaks";
+        entry = lib.getExe hooks.gitleaks.package;
         package = tools.gitleaks;
         args = [ "git" "--pre-commit" "--redact" "--staged" "--verbose" ];
       };

From 082984b9afe1010ebdf00c739af502084b67c012 Mon Sep 17 00:00:00 2001
From: Sebastian Estrella <2049686+sestrella@users.noreply.github.com>
Date: Fri, 6 Mar 2026 21:35:25 -0500
Subject: [PATCH 7/7] Add pass_filenames

---
 modules/hooks.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/hooks.nix b/modules/hooks.nix
index 7ab4ee7e..1d85b7eb 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -3047,6 +3047,7 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
         entry = lib.getExe hooks.gitleaks.package;
         package = tools.gitleaks;
         args = [ "git" "--pre-commit" "--redact" "--staged" "--verbose" ];
+        pass_filenames = false;
       };
       gitlint = {
         name = "gitlint";